Support is required to disable TLS compression to prevent against CRIME attacks. Please see: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls This security issue is flagged for Tomcat during PCI compliance scan.
I'm looking at OpenSSL to see how to do this. Any proper solution will likely depend on bug 53969 in tcnative, and therefore require tcnative 1.1.25 which has not yet been released.
Is there a road map for releases available for TC Native/Apache/Tomcat in general? Perhaps this is related? https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
tcnative is independent from Apache httpd, though it does depend upon the Apache Portable Runtime library which is "part" of Apache httpd. In this case, we're only relying on support from OpenSSL, so the version of Apache httpd is not relevant. Tomcat 7.x releases have historically come about once per month. There is no guarantee this will continue, but it's a reasonable bet. tcnative 1.1.24 was released 2012-06-13. I've just added a number of SSL_OP_* from OpenSSL 1.0 that were missing to tcnative's option-support capabilities, and the option-support caps-detection has been added since 1.1.24 so I'm going to propose 1.1.25 sometime soon. Once you have both of these (tcnative + Tomcat) supporting SSL_OP_NO_COMPRESSION then you should be able to pass your audit. Note that no current versions of mainstream browsers enable SSL compression by default, so this issue is, for the most part, a non-issue.
Note also, that as a short time workaround you can compile OpenSSL without compression support.
It looks like there is movement on getting tcnative 1.1.25 released. I have a patch for this that I will commit soon.
Fixed in trunk and Tomcat 7.0.x. Will be in Tomcat 7.0.36. Proposed for Tomcat 6.0.x.
Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37
(In reply to Konstantin Kolinko from comment #7) > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37 Konstantin, the fix for 6.0.x strays from the convention lowercase name for variables. See http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021 > protected boolean SSLDisableCompression = false;
(In reply to Michael Osipov from comment #8) > (In reply to Konstantin Kolinko from comment #7) > > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37 > > Konstantin, > > the fix for 6.0.x strays from the convention lowercase name for variables. > See > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/ > util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021 > > > protected boolean SSLDisableCompression = false; And the boolean should be private. It has both getter and setter so there is no need to expose it outside the class.
(In reply to Michael Osipov from comment #8) > (In reply to Konstantin Kolinko from comment #7) > > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37 > > Konstantin, > > the fix for 6.0.x strays from the convention lowercase name for variables. > See > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/ > util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021 > > > protected boolean SSLDisableCompression = false; There is no such convention here (in APR connector). See SSLEnabled, SSLProtocol etc. http://tomcat.apache.org/tomcat-6.0-doc/apr.html (In reply to Sebb from comment #9) 1. Nothing is broken by this. 2. 6.0.37 is already released. You are too late here. It can still be fixed in trunk though. re-closing as FIXED.
(In reply to Konstantin Kolinko from comment #10) > (In reply to Michael Osipov from comment #8) > > (In reply to Konstantin Kolinko from comment #7) > > > Implemented in Tomcat 6.0 by r1461021 , will be in 6.0.37 > > > > Konstantin, > > > > the fix for 6.0.x strays from the convention lowercase name for variables. > > See > > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/ > > util/net/AprEndpoint.java?r1=1461021&r2=1461020&pathrev=1461021 > > > > > protected boolean SSLDisableCompression = false; > > There is no such convention here (in APR connector). This is Java convention. members -- unless static final -- are never PascalCase but camelCase. None is referring to the attributes in the XML config. > See SSLEnabled, SSLProtocol etc. > http://tomcat.apache.org/tomcat-6.0-doc/apr.html > > (In reply to Sebb from comment #9) > 1. Nothing is broken by this. > 2. 6.0.37 is already released. You are too late here. It can still be fixed > in trunk though. > > re-closing as FIXED. Why don't you fix it then?