How to disable SSL compression with Access Gateway

  • 7014254
  • 10-Dec-2013
  • 10-Dec-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Access Gateway
Apache Security vulnerability reported CVE-2012-4929
Apache security patch for CRIME attack
SSL compression issues with Access Gateway

Situation

CVE-2012-4929 talks about hijacking SSL sessions due to a flaw with SSL
compression. It is a browser related issue but many back end servers have also
fixed in, including Apache. From
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression, we can see
details on the SSLCompression directive

SSLCompression Directive
Description:    Disallow compression on the SSL level
Syntax:    SSLCompression on|off
Default:    SSLCompression on
Context:    server config, virtual host
Status:    Extension
Module:    mod_ssl
Compatibility:    Available in httpd 2.2.24 and later, if using OpenSSL 0.9.8
or later; virtual host scope available if using OpenSSL 1.0.0 or later

The Apache defect shows that it is available in 2.2.24, but that it was also
ported back to the 2.2.22 build. Does the Access Gateway include this fix?

Resolution

Apply Access Manager 3.2 Support Pack 2 and enable the following Global Advanced Option:

SSLCompression off

Feedback service temporarily unavailable. For content questions or problems, please contact Support.