I’ll show you a quick way to actively check a server for compression as well as how to disable compression in Apache. Note: This has _no_ effect on the CRIME TLS vulnerability.
Test for Compression
A simple test page to test for HTTP compression is here:
http://www.gidnetwork.com/tools/gzip-test.php
Or alternatively, below is a manual test for compression over HTTPS.
Using openssl, make a connection to the server. Putting in a request header of ‘Accept-Encoding: compress, gzip’ will prompt the server to respond with compression. Note that the page that comes back looks like gibberish as it is compressed. There is also a header ‘Content-Encoding: gzip’ that is replied from the server.
$ openssl s_client -connect www.apache.org:443
CONNECTED(00000003)
[skip certificate info]
GET / HTTP/1.1 [Enter]
Host: google.com [Enter]
Accept-Encoding: compress, gzip [Enter, Enter]
HTTP/1.1 200 OK
Date: Thu, 13 Sep 2012 16:58:57 GMT
Server: Apache/2.4.1 (Unix) OpenSSL/1.0.0g
Last-Modified: Thu, 13 Sep 2012 15:09:56 GMT
ETag: "891a-4c996b33b64aa-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9005
Content-Type: text/html; charset=utf-8
###v#######^ӓ#1%˗#####Y###########yA$$## # m+O##########NU#I#h'####&3#-^P#
u#########^
####Sv#######N#########[#####y#e"U##Ng########>######!#####p##D&############D܅?C5N#####JC####^wL#g#y ΦI9###########8W#H##k#####'#####H###:vv[##(V###ٛ#####O#####s######'zKw#_#####9n#N##_##,###Nf###!#K#g#C##Orxō#############/####Wy<ޑQR#p######:v######JE#############8###U###############%HNG##+#E#s######]U###D#####Vi䨱##SG#v########Q#8########9'b###sRh#-#n
A server that does not support DEFLATE or compression will ignore the compress header request and simply reply back the page in plain text, uncompressed:
$ openssl s_client -connect www.example.com:443
CONNECTED(00000003)
[skip ssl cert info]
GET / HTTP/1.1
Host: google.com
Accept-Encoding: compress, gzip
HTTP/1.1 200 OK
Date: Thu, 13 Sep 2012 17:02:49 GMT
Connection: Keep-Alive
Server: Apache
X-UA-Compatible: IE=edge
Last-Modified: Wed, 12 Sep 2012 07:08:22 GMT
Accept-Ranges: bytes
Vary: *
Content-Length: 26717
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8" />
Disable Compression
To disable compression in Apache, typically you just need to disable the module mod_deflate. After making the below adjustments, test again with the above manual test to confirm compression is disabled.
Debian/Ubuntu:
$ sudo a2dismod deflate Module deflate disabled. Run '/etc/init.d/apache2 restart' to activate new configuration!
$ sudo /etc/init.d/apache2 restart
Red Hat or CentOS:
$ sudo nano /etc/httpd/conf/httpd.conf
Comment out this line:
LoadModule deflate_module modules/mod_deflate.so
It should now look like this:
#LoadModule deflate_module modules/mod_deflate.so
Close and save the file then restart httpd:
$ sudo /etc/init.d/httpd restart
What about CRIME?
Note that currently at the time of this post there is a current enhancement bug concerning disabling ssl compression in mod_ssl. This is the only way known currently to mitigate against CRIME. This is only available in Apache 2.4.3 but could be backported to Apache 2.2. The bug is:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Twitter: davinken
At least related to Apache 2.2.x on CentOS, the bugzilla entry:
https://bugzilla.redhat.com/show_bug.cgi?id=857051#c5
seems to fix the issue.
I just added the suggested line:
export OPENSSL_NO_DEFAULT_ZLIB=1
to /etc/sysconfig/httpd
and after restarting the httpd service, it passed the vulnerability scan against CRIME.
The patch to openssl mentioned in the bug looks to be in place. Nothing else was needed.
Launching also:
openssl s_client -connect my.server.com:443
reports
Compression: NONE
Expansion: NONE
which satisfies the need and seems to solve the problem.
N.B.
Alas, the security scan after this hinted at the (related) BEAST vulnerability being still alive.