7.7 Ensure SSL Compression is Not Enabled

Information

The 'SSLCompression' directive controls whether SSL compression is used by Apache when serving content over HTTPS. It is recommended that the 'SSLCompression' directive be set to 'off'.

Rationale:

If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator. If the authenticator in a session cookie is derived, it can be used to impersonate the account associated with the authenticator.

Solution

Perform the following to implement the recommended state:

1. Verify the Apache version is 2.2.24 or later, with the command 'httpd -v'.
2. Search the Apache configuration files for the 'SSLCompression' directive.
3. Add or update the directive to have a value of 'off'.

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: 6d9893e53d35d26a9162bc2bed00f7eb81fcbf1e3a6fe0b1ab7a1c780666e868