On 25.9.2012 00:37, Leon Fauster wrote: > Am 24.09.2012 um 23:49 schrieb Johnny Hughes: >> On 09/24/2012 06:07 AM, Markus Falb wrote: >>> Hi, >>> Some of you have heard of CRIME, probably. >>> >>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051 >>>> Adding the following line to the /etc/sysconfig/httpd file: >>>> >>>> export OPENSSL_NO_DEFAULT_ZLIB=1 >>> But there are other services but http that use ssl and are vulnerable? >>> What is the optimal place for setting this environment variable system wide? >>> >>> I tried to set it in >>> /etc/profile.d/CRIME.sh >>> /etc/bashrc >>> without success. >> >> The setting only matters if programs look for it and do something with >> it ... so you would need to set it for the user that starts whatever >> service you are trying to protect, if that daemon actually uses the >> variable. >> >> Just because a variable does something in httpd, that does not mean the >> same variable means the same thing to sshd or any other daemon. > > > > > its in openssl itself (rhel5/6) > > http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2 > > IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ... That was my understanding too. And instead of fixing X services I would like to fix it for all services at once in one central location. One could do it in /etc/init.d/functions maybe, but I doubt that it would survive an update of initscripts. Now that ssl compression got security relevant, maybe the openssl default should be changed. Default off, enabled only explicit. Leon, I know you suggested building a custom openssl package in an earlier message, but to be honest, I am not very enthusiastic about maintaining my own openssl. Maybe an upstream bugzilla should be filed. Another related question: What services are vulnerable to CRIME or the concepts behind CRIME and what services are not. Everyone is only talking about http. For example I think that smtp is not vulnerable if it does not support smtp auth, or maybe ftp is not vulnerable because it does a separate data channel, and so on... -- Kind Regards, Markus Falb
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
