Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Access Gateway
Apache Security vulnerability reported CVE-2012-4929
Apache security patch for CRIME attack
SSL compression issues with Access Gateway
NetIQ Access Manager 3.2 Access Gateway
Apache Security vulnerability reported CVE-2012-4929
Apache security patch for CRIME attack
SSL compression issues with Access Gateway
Situation
CVE-2012-4929 talks about hijacking SSL sessions due to a flaw with SSL compression. It is a browser related issue but many back end servers have also fixed in, including Apache. From http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression, we can see details on the SSLCompression directive SSLCompression Directive Description: Disallow compression on the SSL level Syntax: SSLCompression on|off Default: SSLCompression on Context: server config, virtual host Status: Extension Module: mod_ssl Compatibility: Available in httpd 2.2.24 and later, if using OpenSSL 0.9.8 or later; virtual host scope available if using OpenSSL 1.0.0 or later The Apache defect shows that it is available in 2.2.24, but that it was also ported back to the 2.2.22 build. Does the Access Gateway include this fix?
Resolution
Apply Access Manager 3.2 Support Pack 2 and enable the following Global Advanced Option:
SSLCompression off
SSLCompression off