Debian Bug report logs - #674142
make it possible to disable ssl compression in apache2 mod_ssl

version graph

Package: apache2; Maintainer for apache2 is Debian Apache Maintainers <debian-apache@lists.debian.org>; Source for apache2 is src:apache2.

Reported by: Bjoern Jacke <debianbugs@j3e.de>

Date: Wed, 23 May 2012 10:54:02 UTC

Owned by: debian-apache@lists.debian.org

Severity: normal

Found in version 2.2.16

Fixed in version apache2/2.2.22-12

Done: Stefan Fritsch <sf@sfritsch.de>

Bug is archived. No further changes may be made.

Forwarded to https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Wed, 23 May 2012 10:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bjoern Jacke <debianbugs@j3e.de>:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Wed, 23 May 2012 10:54:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bjoern Jacke <debianbugs@j3e.de>
To: submit@bugs.debian.org
Subject: make it possible to disable ssl compression in apache2 mod_ssl
Date: Wed, 23 May 2012 12:17:38 +0200
Package: apache2
Version: 2.2.16
Owner: debian-apache@lists.debian.org

Some browsers like Chrome/Chromium but also cmdline clients using openssl like
wget support ssl compression. This is a big problem for ssl enabled servers
when they offer big files. Pulling for example a (already compressed) 100MB
file via such a browser using https the ssl compression eats up CPU time
significantly. The overall performance of the server will also go down.
Multiple clients make it even worse. It should be possible to disable ssl
compression in mod_ssl to solve this issue.

Please consider to add the patch from
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package.
It adds the parameter SSLCompression On/Off which allows to disable the ssl
compression.  Maybe it is possible to get this even in Squeeze as it doesn't
change any default setting?




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Tue, 05 Jun 2012 22:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Tue, 05 Jun 2012 22:33:05 GMT) Full text and rfc822 format available.

Message #10 received at 674142@bugs.debian.org (full text, mbox):

From: Arno Töll <arno@debian.org>
To: 674142@bugs.debian.org
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
Date: Wed, 06 Jun 2012 00:29:51 +0200
[Message part 1 (text/plain, inline)]
Hi,

On 23.05.2012 12:17, Bjoern Jacke wrote:
> Please consider to add the patch from
> https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package.

as you might have noticed Stefan was committing your patch upstream.
Thus, it might be included in upcoming releases for the 2.4 branch and
hence also in Debian. It may also be backported to the 2.2 series, but
chances are this comes too late for Wheezy.

I personally wouldn't mind to include it for Wheezy as a Debian patch,
but I'd let that up to Stefan to decide as there are some more changes
in trunk which could be included into Wheezy if we're freezing before
2.2.23 is released.

> Maybe it is possible to get this even in Squeeze as it doesn't
> change any default setting?

I don't think so. Whether or not this is changing the default behavior,
it is still an invasive change we are not considering for a stable release.


-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'https://issues.apache.org/bugzilla/show_bug.cgi?id=53219'. Request was from Arno Töll <arno@debian.org> to control@bugs.debian.org. (Tue, 05 Jun 2012 22:33:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Fri, 08 Jun 2012 09:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Fri, 08 Jun 2012 09:33:06 GMT) Full text and rfc822 format available.

Message #17 received at 674142@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 674142@bugs.debian.org, 674142-submitter@bugs.debian.org
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
Date: Fri, 8 Jun 2012 11:30:11 +0200
On Wednesday 06 June 2012, Arno Töll wrote:
> Hi,
> 
> On 23.05.2012 12:17, Bjoern Jacke wrote:
> > Please consider to add the patch from
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the
> > Debian package.
> 
> as you might have noticed Stefan was committing your patch
> upstream. Thus, it might be included in upcoming releases for the
> 2.4 branch and hence also in Debian. It may also be backported to
> the 2.2 series, but chances are this comes too late for Wheezy.
> 
> I personally wouldn't mind to include it for Wheezy as a Debian
> patch, but I'd let that up to Stefan to decide as there are some
> more changes in trunk which could be included into Wheezy if we're
> freezing before 2.2.23 is released.

I don't like to add config directives that are not in an upstream 
release (or at least have been committed to the upstream stable 
branch). If the upstream syntax changes until it is released, the 
mismatch creates a headache for supporters.

Unfortunately, there is currently not much momentum at upstream for 
2.2.23.

> > Maybe it is possible to get this even in Squeeze as it doesn't
> > change any default setting?
> 
> I don't think so. Whether or not this is changing the default
> behavior, it is still an invasive change we are not considering
> for a stable release.




Message sent on to Bjoern Jacke <debianbugs@j3e.de>:
Bug#674142. (Fri, 08 Jun 2012 09:33:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Mon, 06 Aug 2012 13:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to debianbugs@j3e.de:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Mon, 06 Aug 2012 13:48:03 GMT) Full text and rfc822 format available.

Message #25 received at 674142@bugs.debian.org (full text, mbox):

From: debianbugs@j3e.de
To: 674142@bugs.debian.org
Subject: upstream in 2.4.3 now
Date: Mon, 6 Aug 2012 15:16:49 +0200
as the patch will be in 2.4.3 now, maybe the changes are there now that you
will add the patch to the 2.2 debian apache package. The mentioned parameter
rename nightmare should now not be a problem.



Added tag(s) pending. Request was from Arno Töll <arno@debian.org> to control@bugs.debian.org. (Sat, 20 Oct 2012 01:21:07 GMT) Full text and rfc822 format available.

Reply sent to Arno Töll <arno@debian.org>:
You have taken responsibility. (Tue, 30 Oct 2012 23:51:03 GMT) Full text and rfc822 format available.

Notification sent to Bjoern Jacke <debianbugs@j3e.de>:
Bug acknowledged by developer. (Tue, 30 Oct 2012 23:51:03 GMT) Full text and rfc822 format available.

Message #32 received at 674142-close@bugs.debian.org (full text, mbox):

From: Arno Töll <arno@debian.org>
To: 674142-close@bugs.debian.org
Subject: Bug#674142: fixed in apache2 2.2.22-12
Date: Tue, 30 Oct 2012 23:47:45 +0000
Source: apache2
Source-Version: 2.2.22-12

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 674142@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arno Töll <arno@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 31 Oct 2012 00:23:59 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source amd64 all
Version: 2.2.22-12
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Arno Töll <arno@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 674142 689936
Changes: 
 apache2 (2.2.22-12) unstable; urgency=low
 .
   * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
     "off". This mitigates impact of CRIME attacks. Fixes:
     - "handling the CRIME attack" (Closes: #689936)
     - "make it possible to disable ssl compression in apache2 mod_ssl"
       (Closes: #674142)
Checksums-Sha1: 
 6d0cf1e0e358a5721454e2e8422f18cc760caab3 2885 apache2_2.2.22-12.dsc
 9fb2e4aabec9534900e2a532f20cbd8695c83f41 196863 apache2_2.2.22-12.debian.tar.gz
 6453f01b1be9119ae4510fda41c654c8a2a9a167 290370 apache2.2-common_2.2.22-12_amd64.deb
 778a67b1eeb7fe5628207027b03c54cf9b5718a5 780540 apache2.2-bin_2.2.22-12_amd64.deb
 02ef6214f265743830dbe7e41fa8ac44826c98e8 2250 apache2-mpm-worker_2.2.22-12_amd64.deb
 e42d824027cea5c95f0aa8230f87b8cb2bb8f80b 2362 apache2-mpm-prefork_2.2.22-12_amd64.deb
 b239f70a0f6ea7379c7485f6be204de8166a5bfe 2316 apache2-mpm-event_2.2.22-12_amd64.deb
 5a002ea84b373acaa17c5728bae807422e2b1228 2342 apache2-mpm-itk_2.2.22-12_amd64.deb
 541d720a59894a71be12fe0377a0221535e75c40 161586 apache2-utils_2.2.22-12_amd64.deb
 e5d16c19f7697ad4e788f27e9aeefc13814202cf 105390 apache2-suexec_2.2.22-12_amd64.deb
 62033a8ba9a6c7573b772e8b578328f1083b8702 106874 apache2-suexec-custom_2.2.22-12_amd64.deb
 78463097f42aa7d5a6585ddb7f5e56e48fab2b13 1436 apache2_2.2.22-12_amd64.deb
 65b162fdd9aa99dcb83639aee3cdbdbcbb293013 1770476 apache2-doc_2.2.22-12_all.deb
 cf5632f3e20b3625990cdb1ebcfc53cf67bca94e 114182 apache2-prefork-dev_2.2.22-12_amd64.deb
 74fe45f3b4537f936f72129fb97d5db3e9b3e899 115020 apache2-threaded-dev_2.2.22-12_amd64.deb
 56e66c52ae09be01e1e5942a3630e759f0beb646 1727278 apache2-dbg_2.2.22-12_amd64.deb
Checksums-Sha256: 
 eafa3378fb34f329cb19f41892b7077e75ed48907595ea098efb65ea17291987 2885 apache2_2.2.22-12.dsc
 3ae9569a5e06a434705838f2639effa25856d72470b4a1b7a179f5c12b055957 196863 apache2_2.2.22-12.debian.tar.gz
 9c5dd2a4240913ca226d3e02438ee3eb0a9bc00f472d12de73ae486feef4e37d 290370 apache2.2-common_2.2.22-12_amd64.deb
 857d28a0e0f0c7928ea13e6e351bbe11af5bb2003451ab2327da535dfedc22aa 780540 apache2.2-bin_2.2.22-12_amd64.deb
 e0ff2f2cf8a1c2d7b99889968e0afe70ec1fac5cceef242442df798135a5ab41 2250 apache2-mpm-worker_2.2.22-12_amd64.deb
 be2f32cd5ad34aa5d02145f5ba35bdb9c0527528333a72738f497d3552d5f451 2362 apache2-mpm-prefork_2.2.22-12_amd64.deb
 f813935b75ae5cd7c708f8a224a8e100c1e0564e4eb6d350ac003330f41da73e 2316 apache2-mpm-event_2.2.22-12_amd64.deb
 57c80e64d7c0c96e51abbdbf66ee801c58d28054c46213238f84994bd8851d84 2342 apache2-mpm-itk_2.2.22-12_amd64.deb
 9736646d878b0161d17fd2d5b43e8ec5a23a20197b9a164b5bb6d976e2697aa2 161586 apache2-utils_2.2.22-12_amd64.deb
 ac75d277717783df4007c700170c4093431569e83e9092a16b62ec4370aaaa79 105390 apache2-suexec_2.2.22-12_amd64.deb
 4d68b6dcd737cf25c0d5a92115e23b1b68996c6c6db3afd2f05e94e3e0c7e241 106874 apache2-suexec-custom_2.2.22-12_amd64.deb
 c2f41db13ef76966b3f8d41ee957ff88b0a2527789be2d7c1ab826ff4c1004ef 1436 apache2_2.2.22-12_amd64.deb
 4da79bf236f01662959407587f8419a0c0bfb3a59b8309dc0ba426e30f09cd2f 1770476 apache2-doc_2.2.22-12_all.deb
 5baa7750aa8577d82bc721ffd8d401698469515387206ad87040dd5d9b4cf8f4 114182 apache2-prefork-dev_2.2.22-12_amd64.deb
 9c55d0bd5a62c4f8f6cb532c4c60dda05b82cc67baa716c513bff65375b9a53f 115020 apache2-threaded-dev_2.2.22-12_amd64.deb
 1dc6ac5eab5ae5f5c8ea616ae590ada0bd66100e844e858cc65d278b7add0948 1727278 apache2-dbg_2.2.22-12_amd64.deb
Files: 
 42ac643ee968bf4a3032fcc818c5e434 2885 httpd optional apache2_2.2.22-12.dsc
 a874f9022b84d8a8598906a2c6e92587 196863 httpd optional apache2_2.2.22-12.debian.tar.gz
 e27e7bd03801421768e9feb734e40747 290370 httpd optional apache2.2-common_2.2.22-12_amd64.deb
 8b4ab0ceeba5ac4ebbbfe0f3f1f53b09 780540 httpd optional apache2.2-bin_2.2.22-12_amd64.deb
 b3481312fb98b183caa0cd2f8f969186 2250 httpd optional apache2-mpm-worker_2.2.22-12_amd64.deb
 a73bd7ea18cfc2cd7c7650a3427572bf 2362 httpd optional apache2-mpm-prefork_2.2.22-12_amd64.deb
 6c56e3f4570d6ebc64f565fdf9692e4c 2316 httpd optional apache2-mpm-event_2.2.22-12_amd64.deb
 9594cb266fa79c0a80bcde274768a4a5 2342 httpd extra apache2-mpm-itk_2.2.22-12_amd64.deb
 1923051f78643a104be2a3eaa317d926 161586 httpd optional apache2-utils_2.2.22-12_amd64.deb
 19de10a8523868adaab7010c971c375e 105390 httpd optional apache2-suexec_2.2.22-12_amd64.deb
 5f6da6484695dcb3eeb6645459f4dbe2 106874 httpd extra apache2-suexec-custom_2.2.22-12_amd64.deb
 c92cba7e28dad1f03b04053772252760 1436 httpd optional apache2_2.2.22-12_amd64.deb
 e81a4f468a5931d49f56ac254e41ef69 1770476 doc optional apache2-doc_2.2.22-12_all.deb
 379b7aae2516213fc9c0ed734a193d5e 114182 httpd extra apache2-prefork-dev_2.2.22-12_amd64.deb
 e9950b38f2421190436b51aa7e7323aa 115020 httpd extra apache2-threaded-dev_2.2.22-12_amd64.deb
 da2216516b4e8ff61e43e0c64d928fb7 1727278 debug extra apache2-dbg_2.2.22-12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkGTfAAoJEMcrUe6dgPNt9JMP/AlGuRTEXOBx8BzcZO6/nvD8
AP3WOUGJMyrBbix3iU2qKSkBweE6U20I1FiykVUVPXG+2u1rIbv5dQqNf0Ba/nis
Hn0vS18WscjXg9I2EhBl/SL00F1i6JueOA9KM6Q+bJo+cnSjDfvLXYAcijnw7dOt
sZVt+YjbMhUOMqW2CB3Ar4HkzA2QuAutqOWvQi7YkAPT2HAXG0mhHQXOzAmfObHq
PuMtbhVrC/bu4SZSI7JYye2F7v/nXlEiI2NLv/PCWTrZkJWtvRVi5w8A6CbntTSw
NCgRZsiFpH/HXsqAgUPUpbitv/etDr2xIuwOD95C3THY3s/Uj+Fx46ndtQOAYUoS
RwaUgwkA8TTzfTenOM2lijQr8okbUIHAnlML9oXEh/bezHJpHt1At5RJj2sXFyHU
ryM/OQijrirqIcUGe9lmIefvhcxmoVnsiuegTlI+zs1DurO/VN+UtiVrb/rxqOMV
0lA8E1McBdpb45OrqgG4sCLdEaMiPyI7P4ZQ2yGMIy/P8uxujZMf9zQR8HyDExvY
qKq0HpWH/lrK3YSR1vpuBcBfbQ7whoU9j57/ElkBIR43N+rhe0d8+9Dob2qJWhZb
NwYwLxBECPoFDpbiIEN++/vyhMz7+ZmrzqxXbhIi7oIAUrfukaA0Pt+Tedf5Iw6U
CjNcuU8875JdVL5oTSoj
=4CjL
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Fri, 16 Nov 2012 02:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Magda <dmagda@ee.ryerson.ca>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Fri, 16 Nov 2012 02:39:06 GMT) Full text and rfc822 format available.

Message #37 received at 674142@bugs.debian.org (full text, mbox):

From: David Magda <dmagda@ee.ryerson.ca>
To: 674142@bugs.debian.org
Subject: fix for 2.2.16?
Date: Thu, 15 Nov 2012 21:07:41 -0500
This bug is marked as done, but that's only the case for the wheezy package (2.2.22). I don't see new binaries for squeeze (2.2.16).

Can you either add the patch to the squeeze package or add something to squeeze-backports?




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Wed, 21 Nov 2012 09:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Greig <James@host-it.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Wed, 21 Nov 2012 09:42:03 GMT) Full text and rfc822 format available.

Message #42 received at 674142@bugs.debian.org (full text, mbox):

From: James Greig <James@host-it.co.uk>
To: "674142@bugs.debian.org" <674142@bugs.debian.org>
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2
Date: Wed, 21 Nov 2012 09:32:36 +0000
[Message part 1 (text/plain, inline)]
Hi,

I second the last message.  I have a number of systems failing PCI compliance that run squeeze so would really welcome this patch to debian squeeze even if it's backported.

James Greig

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Wed, 21 Nov 2012 11:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Wed, 21 Nov 2012 11:45:02 GMT) Full text and rfc822 format available.

Message #47 received at 674142@bugs.debian.org (full text, mbox):

From: Arno Töll <arno@debian.org>
To: James Greig <James@host-it.co.uk>, 674142@bugs.debian.org
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2
Date: Wed, 21 Nov 2012 12:43:44 +0100
[Message part 1 (text/plain, inline)]
On 11/21/2012 10:32 AM, James Greig wrote:
> I second the last message.  I have a number of systems failing PCI compliance that run squeeze so would really welcome this patch to debian squeeze even if it's backported.

It *IS* backported already and we *WILL* upload it as an update to
Stable. But since this is not a critical issue [1] and since uploads to
Stable are extremely sensitive it may well be we wait for another issue
we need to fix in Stable as well.

[1] it is a browser issue in reality, no really.
-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Thu, 22 Nov 2012 10:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Greig <James@host-it.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Thu, 22 Nov 2012 10:15:03 GMT) Full text and rfc822 format available.

Message #52 received at 674142@bugs.debian.org (full text, mbox):

From: James Greig <James@host-it.co.uk>
To: "674142@bugs.debian.org" <674142@bugs.debian.org>
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2
Date: Thu, 22 Nov 2012 10:12:36 +0000
[Message part 1 (text/plain, inline)]
Hi Arno,

Thanks for your reply.  I appreciate that it's a client side issue and apache is just compensating for this so the efforts are fully appreciated especially with free software.  It's just unfortunate that the PCI compliance companies are treating it as a requirement that the servers should compensate for it.

Out of interest, you said it is already backported?  I'm using squeeze-backports but it hasn't appeared as an update?  Am I doing something wrong here?


James Greig
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Thu, 22 Nov 2012 11:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arno Töll <arno@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Thu, 22 Nov 2012 11:45:05 GMT) Full text and rfc822 format available.

Message #57 received at 674142@bugs.debian.org (full text, mbox):

From: Arno Töll <arno@debian.org>
To: James Greig <James@host-it.co.uk>, 674142@bugs.debian.org
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2
Date: Thu, 22 Nov 2012 12:40:47 +0100
[Message part 1 (text/plain, inline)]
Hi,

On 11/22/2012 11:12 AM, James Greig wrote:
> Out of interest, you said it is already backported?  I'm using squeeze-backports but it hasn't appeared as an update?  Am I doing something wrong here?

I meant, I backported the patch in our source code repository:
http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git;a=blob;f=debian/patches/300_disable-ssl-compression.dpatch;h=fd497646c6fe675d47821f729cff8b516319c2d7;hb=refs/heads/squeeze

It is not available in any package (we support) yet.

-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Thu, 22 Nov 2012 15:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Greig <James@host-it.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Thu, 22 Nov 2012 15:00:03 GMT) Full text and rfc822 format available.

Message #62 received at 674142@bugs.debian.org (full text, mbox):

From: James Greig <James@host-it.co.uk>
To: "674142@bugs.debian.org" <674142@bugs.debian.org>
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2
Date: Thu, 22 Nov 2012 14:57:56 +0000
[Message part 1 (text/plain, inline)]
Is there any way to get a .deb of this at all or is it purely a waiting game?

James Greig
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org:
Bug#674142; Package apache2. (Wed, 28 Nov 2012 13:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Harry Sintonen <sintonen@iki.fi>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>, debian-apache@lists.debian.org. (Wed, 28 Nov 2012 13:51:06 GMT) Full text and rfc822 format available.

Message #67 received at 674142@bugs.debian.org (full text, mbox):

From: Harry Sintonen <sintonen@iki.fi>
To: 674142@bugs.debian.org
Subject: Re: Bug#674142: make it possible to disable ssl compression in apache2
Date: Wed, 28 Nov 2012 15:40:30 +0200 (EET)
> It *IS* backported already and we *WILL* upload it as an update to
> Stable. But since this is not a critical issue [1] and since uploads to
> Stable are extremely sensitive it may well be we wait for another issue
> we need to fix in Stable as well.
>
> [1] it is a browser issue in reality, no really.

I cannot fully agree with this assessment. IMHO lack of option to disable 
compression should be considered a critial issue, and it should be fixed 
speedily at server side as well.

SSL compression is an optional feature that is only used if both the 
server and client support it, and the server agrees to enabling it. Thus 
the issue can be mitigated in two different ways:

- Modify the clients so that they do not report supporting compression at
  "client hello".

and/or:

- Fix servers so that they do not enable compression, even if the client
  is advertising the support in "client hello". Either remove compression
  support completely or make it configurable.

The root of the problem is that current stable apache2 enables the
compression if requested by the client, and there is no way to mitigate 
this issue (and the CRIME attack) from the server side.

The most efficient way of fixing this is to patch the server. While 
clients may have received updates disabling the compression, no-one can 
guarantee that everyone has installed those patches.

It may even be a direct security threat for the server since an attacker 
may perform a targetted attack against some administrative functionality 
(steal admin's session token) to gain privileged access to the server.

Another argument speaking in behalf of fixing this on the server side is 
the asymmetry: There are thousands of clients per one server. Fixing the 
server mitigates the issue for all of the clients (even the unpatched 
ones!).

Finally, failing PCI compliance is a major issue. To quote 
pcisecuritystandards.org:

"But if you are not compliant, it could be disastrous:

  o Compromised data negatively affects consumers, merchants, and
    financial institutions

  o Just one incident can severely damage your reputation and your ability
    to conduct business effectively, far into the future

  o Account data breaches can lead to catastrophic loss of sales,
    relationships and standing in your community, and depressed share
    price if yours is a public company

  o Possible negative consequences also include:

     - Lawsuits
     - Insurance claims
     - Cancelled accounts
     - Payment card issuer fines
     - Government fines
"

Strictly speaking this of course isn't Debian's problem, but nevertheless 
I think it reflects poorly on Debians reputation if vendor is slow to fix 
an issue that may lead to PCI complicance issues.

You're of course right in that the problem goes away if all clients have 
been updated. However, I think it would be much better security 
management to promptly fix it at server side as well. And it would get 
all those PCI bound parties happy...


  Regards,
-- 
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_<4+D&i++<87;);puts
("  Harry 'Piru' Sintonen <sintonen@iki.fi> http://www.iki.fi/sintonen");}



Reply sent to Stefan Fritsch <sf@sfritsch.de>:
You have taken responsibility. (Fri, 30 Nov 2012 13:27:07 GMT) Full text and rfc822 format available.

Notification sent to Bjoern Jacke <debianbugs@j3e.de>:
Bug acknowledged by developer. (Fri, 30 Nov 2012 13:27:07 GMT) Full text and rfc822 format available.

Message #72 received at 674142-done@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 689936-done@bugs.debian.org, 674142-done@bugs.debian.org
Subject: fixed in squeeze in DSA 2579-1
Date: Fri, 30 Nov 2012 14:25:50 +0100
version: apache2/2.2.16-6+squeeze10

fixed in squeeze in DSA 2579-1



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 29 Dec 2012 07:26:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 17:05:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.