The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.
Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.
The openssl packages in Red Hat Enterprise Linux 3 and 4 are based on upstream version 0.9.7a and do not enable SSL/TLS zlib compression.
OpenSSL enables zlib compression by default for both clients and servers starting with version 0.9.8:
http:// cvs.openssl. org/chngview? cn=9594
The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_ NO_DEFAULT_ ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.
http:// pkgs.fedoraproj ect.org/ cgit/openssl. git/tree/ openssl- 0.9.8j- env-nozlib. patch?id= 1d20b5f2
Setting the OPENSSL_ NO_DEFAULT_ ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/ httpd file:
export OPENSSL_ NO_DEFAULT_ ZLIB=1
and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.
The openssl packages in Red Hat Enterprise Linux 3 and 4 are based on upstream version 0.9.7a and do not enable SSL/TLS zlib compression.