More detailed information on what and how the attack works is here
I will focus only on fixing the problem. On RHEL server 5.x and 6.x the easy way is to simply disable SSL compression.
In newer Apache versions this can be done using the cmd: “SSLCompression off”
But in RHEL this will not work and you will get the following error
“Invalid command ‘SSLCompression’, perhaps misspelled or defined by a module not included in the server configuration”
As described in RHEL support site the way to do is:
Add the following to “export OPENSSL_NO_DEFAULT_ZLIB=1” /etc/sysconfig/httpd and then restart the service, like:
# echo “export OPENSSL_NO_DEFAULT_ZLIB=1” >> /etc/sysconfig/httpd
# service httpd restart

To test before implementing the fix:
$ ./sslyze.py –compression webserver1 |grep “Compression Support:”
Compression Support: Enabled (zlib compression)
$ ./sslyze.py –compression webserver1 |grep “Compression Support:”
Compression Support: Disabled
sslyze.py can be downloaded from here

Tags: , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *