Hi, Some of you have heard of CRIME, probably. from https://bugzilla.redhat.com/show_bug.cgi?id=857051> Adding the following line to the /etc/sysconfig/httpd file: > > export OPENSSL_NO_DEFAULT_ZLIB=1But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide? I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success. -- Kind Regards, Markus Falb
Am 24.09.2012 um 13:07 schrieb Markus Falb:> Hi, > Some of you have heard of CRIME, probably. > > from https://bugzilla.redhat.com/show_bug.cgi?id=857051 >> Adding the following line to the /etc/sysconfig/httpd file: >> >> export OPENSSL_NO_DEFAULT_ZLIB=1 > > But there are other services but http that use ssl and are vulnerable? > What is the optimal place for setting this environment variable system wide? > > I tried to set it in > /etc/profile.d/CRIME.sh > /etc/bashrc > without success.the corresponding patch mentioned in the bz above could be adapted and the openssl package recompiled. -- LF
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Markus Falb > Sent: Monday, September 24, 2012 7:07 AM > To: centos at centos.org > Subject: [CentOS] SSL CRIME > > Hi, > Some of you have heard of CRIME, probably. > > from https://bugzilla.redhat.com/show_bug.cgi?id=857051 > > Adding the following line to the /etc/sysconfig/httpd file: > > > > export OPENSSL_NO_DEFAULT_ZLIB=1 > > But there are other services but http that use ssl and are vulnerable? > What is the optimal place for setting this environment variable system > wide? > > I tried to set it in > /etc/profile.d/CRIME.sh > /etc/bashrc > without success.What about placing it in the /etc/rc.d/rc.local file? Al McCann --- My computer was sold to me by Mad Man Muntz.
On 09/24/2012 06:07 AM, Markus Falb wrote:> Hi, > Some of you have heard of CRIME, probably. > > from https://bugzilla.redhat.com/show_bug.cgi?id=857051 >> Adding the following line to the /etc/sysconfig/httpd file: >> >> export OPENSSL_NO_DEFAULT_ZLIB=1 > But there are other services but http that use ssl and are vulnerable? > What is the optimal place for setting this environment variable system wide? > > I tried to set it in > /etc/profile.d/CRIME.sh > /etc/bashrc > without success.The setting only matters if programs look for it and do something with it ... so you would need to set it for the user that starts whatever service you are trying to protect, if that daemon actually uses the variable. Just because a variable does something in httpd, that does not mean the same variable means the same thing to sshd or any other daemon. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20120924/37710869/attachment-0003.sig>
Am 24.09.2012 um 23:49 schrieb Johnny Hughes:> On 09/24/2012 06:07 AM, Markus Falb wrote: >> Hi, >> Some of you have heard of CRIME, probably. >> >> from https://bugzilla.redhat.com/show_bug.cgi?id=857051 >>> Adding the following line to the /etc/sysconfig/httpd file: >>> >>> export OPENSSL_NO_DEFAULT_ZLIB=1 >> But there are other services but http that use ssl and are vulnerable? >> What is the optimal place for setting this environment variable system wide? >> >> I tried to set it in >> /etc/profile.d/CRIME.sh >> /etc/bashrc >> without success. > > The setting only matters if programs look for it and do something with > it ... so you would need to set it for the user that starts whatever > service you are trying to protect, if that daemon actually uses the > variable. > > Just because a variable does something in httpd, that does not mean the > same variable means the same thing to sshd or any other daemon.its in openssl itself (rhel5/6) http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2 IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ... -- LF