DX Application Performance Management

SSL Compression Methods and APM CE

  • 1.  SSL Compression Methods and APM CE

    Posted 10-28-2013 07:43 AM

    This was discovered during a recent case and I am passing it on to the APM Community:

    Situation: NOT able to decrypt traffic (Apache web server). The cipher suite is: TLS_RSA_WITH_AES_256_CBC_SHA

    Root Cause: Use of “SSL/TLS compression” feature in their environment and TIM/ssldump code analysis found that it doesn’t have support for SSL/TLS Compression for DEFLATE type.

    While researching further on SSL/TLS compression feature/implementations, we found that there is a serious security/vulnerability issue with SSL/TLS compression feature raised/observed in September, 2012 that causing serious Crime attacks with this feature. For more details on how to hijack HTTPS sessions with this feature, how/what browser and web server vendors TURN OFF this feature in later versions as part of mitigation activity etc,  please refer the below technical and public links:

    https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx

    http://www.computerworld.com/s/article/9231281/_CRIME_attack_abuses_SSL_TLS_data_compression_feature_to_hijack_HTTPS_sessions

    Interestingly, Microsoft IIS webserver does not support SSL/TLS Compression - even in IIS 7.5/Server 2008 R2 and also Apache did the back port this critical FIX (i.e. turn off) from 2.4 to 2.2.24 due to popular demand by community (http://svn.apache.org/viewvc?view=revision&revision=1400700 ) and also updated the same in Apache mod_ssl documentation about crime attack 

    Thanks

    Hallett German

    CA Technologies Support