The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TLS Crime and Apache 2.2.x

Discussion in 'EasyApache' started by beddo, Nov 25, 2012.

  1. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Hi folks,

    Our cPanel servers are failing PCI compliance due to the TLS CRIME vulnerability. We've got away with it for a bit and I've been watching to see if anyone mentions it on here.

    So far nothing. We can't wait for Apacha 2.4.x as I imagine that is a way of. Apache 2.2.24 gives a workaround that can be implemented but I can't see any sign of 2.2.24 being implemented.

    I went to try and post in the Feature Requests forum but the post button disappears when I go over there.

    So, when are we likely to see Apache 2.2.24 and does anyone have any other workarounds for TLS CRIME. So far the only other suggestion I have seen is to recompile openssl without zlib support which I'd rather not get into...

    All the best,
    Colin.
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Colin,

    Thank you for bringing this to our attention. At this time Apache 2.2.24 is not available to the public (at least it's not on httpd.apache.org). A patch was provided that works against Apache 2.4 and we will work on making this available to Apache 2.2.23. We will work on making this fix available in an upcoming EasyApache maintenance release.
     
  3. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Hi

    I don't see this patch in EasyApache 3.16.3 , am I right that it was not implemented in 3.16.3 version?
     
  4. GIANT_CRAB

    GIANT_CRAB Well-Known Member

    Joined:
    Mar 23, 2012
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    *neco and bump*

    Hello,

    When will this fix be implemented?

    We need a fix soon please.
     
  5. rlaager

    rlaager Registered

    Joined:
    Dec 12, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Debian has a backported patch, if that helps. Grab the .debian.tar.gz linked from here and look at debian/patches/disable-ssl-compression.patch: Debian -- Details of package apache2 in sid

    For those using cPanel who want a fix now, add this to /usr/local/apache/bin/envvars and restart Apache:
    export OPENSSL_NO_DEFAULT_ZLIB=1

    That will disable TLS compression, which is where the issue lies. After that change, ssllabs.com is happy with my cPanel server. I assume that file will get overwritten on upgrades, so keep that in mind.
     
Loading...
Similar Threads - TLS Crime Apache
  1. icandoit
    Replies:
    3
    Views:
    334

Share This Page