Re: SSL CRIME

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
> On 09/24/2012 06:07 AM, Markus Falb wrote:
>> Hi,
>> Some of you have heard of CRIME, probably.
>> 
>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>> Adding the following line to the /etc/sysconfig/httpd file:
>>> 
>>>  export OPENSSL_NO_DEFAULT_ZLIB=1
>> But there are other services but http that use ssl and are vulnerable?
>> What is the optimal place for setting this environment variable system wide?
>> 
>> I tried to set it in
>> /etc/profile.d/CRIME.sh
>> /etc/bashrc
>> without success.
> 
> The setting only matters if programs look for it and do something with
> it ... so you would need to set it for the user that starts whatever
> service you are trying to protect, if that daemon actually uses the
> variable.
> 
> Just because a variable does something in httpd, that does not mean the
> same variable means the same thing to sshd or any other daemon.




its in openssl itself (rhel5/6)

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2

IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...

--
LF









_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux