Recommendation: Upgrade to the latest httpd 2.2.X version and use the directive "SSLCompression off" (which is the default in the latest version anyway).On Fri, Sep 12, 2014 at 6:03 PM, muthamilan Sargunaanandan <muthamilan@xxxxxxxxx> wrote:+ I'm using windows2008R2 64bit OSOn Fri, Sep 12, 2014 at 5:53 PM, muthamilan Sargunaanandan <muthamilan@xxxxxxxxx> wrote:Hello SMEs,I'm having a Apache version httpd-2.2.22-win32-x86-openssl-0.9.8t.As per Vulnerability report, Compression algorithms should be disabled.Please help me , how to disable it.Thanks in AdvanceRegardsMuthu
Alternative, using your level of httpd and OpenSSL: It MAY be possible to disable compression with the the environment variable setting OPENSSL_NO_DEFAULT_ZLIB=yes, but I'm not 100% sure that OpenSSL 0.9.8t supports that (check the source or change log???), and Windows environment variable configuration is perhaps error prone depending on how you run httpd. If you try this, figure out how to use openssl s_client to check for server compression support with/without the environment variable setting.
|