在Apache中,无法关闭SSLCompression?

分享于 

5分钟阅读

互联网

  繁體

问题:

Apache是2.4.46,正在使用Openssl版本1.1.1 f

我已经设置了指令SSLCompression Off

但是,当我使用Firefox查看网页的HTTP头时,我看到这些响应头:


HTTP/2 200 OK


date: Fri, 25 Dec 2020 12:13:58 GMT


server: Apache


expires: -1


cache-control: no-store, no-cache, must-revalidate, max-age=0


pragma: no-cache


content-security-policy: default-src https: 'unsafe-inline' 'unsafe-hashes' 'self'; img-src data: https: 'self'


x-frame-options: DENY


x-xss-protection: 1; mode=block


x-content-type-options: nosniff


strict-transport-security: max-age=63072000; includeSubDomains; preload


referrer-policy: no-referrer


permissions-policy: geolocation=();midi=();notifications=();push=();sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();


vary: Accept-Encoding


content-encoding: gzip


content-length: 3299


content-type: text/html; charset=UTF-8


X-Firefox-Spdy: h2



上面写着:content-encoding: gzip

但是,即使我使用curl在PHP中使用此脚本获取页面:


curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);


//enable headers


curl_setopt($ch, CURLOPT_HEADER, 1);


//get only headers


curl_setopt($ch, CURLOPT_NOBODY, 1);


curl_setopt($ch, CURLOPT_TIMEOUT_MS, 5000);


curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);


curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);


curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2_0);


curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0");


curl_setopt($ch, CURLOPT_ENCODING, "gzip");



它返回以下HTTP头:





HTTP/2 200 


date: Fri, 25 Dec 2020 12:16:45 GMT


server: Apache


set-cookie: __Secure-CCJRLSESSID=g7m99kljvea2g5uk58f5lfskr1; path=/; secure; HttpOnly; SameSite=Lax


expires: -1


cache-control: no-store, no-cache, must-revalidate, max-age=0


pragma: no-cache


content-security-policy: default-src https: 'unsafe-inline' 'unsafe-hashes' 'self'; img-src data: https: 'self'


x-frame-options: DENY


x-xss-protection: 1; mode=block


x-content-type-options: nosniff


strict-transport-security: max-age=63072000; includeSubDomains; preload


referrer-policy: no-referrer


permissions-policy: geolocation=();midi=();notifications=();push=();sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();


content-type: text/html; charset=UTF-8



mod_deflate?


SSLCompression Off


<IfModule deflate_module>


 AddOutputFilterByType DEFLATE application/javascript


 AddOutputFilterByType DEFLATE application/rss+xml


 AddOutputFilterByType DEFLATE application/vnd.ms-fontobject


 AddOutputFilterByType DEFLATE application/x-font


 AddOutputFilterByType DEFLATE application/x-font-opentype


 AddOutputFilterByType DEFLATE application/x-font-otf


 AddOutputFilterByType DEFLATE application/x-font-truetype


 AddOutputFilterByType DEFLATE application/x-font-ttf


 AddOutputFilterByType DEFLATE application/x-javascript


 AddOutputFilterByType DEFLATE application/xhtml+xml


 AddOutputFilterByType DEFLATE application/xml


 AddOutputFilterByType DEFLATE font/opentype


 AddOutputFilterByType DEFLATE font/otf


 AddOutputFilterByType DEFLATE font/ttf


 AddOutputFilterByType DEFLATE image/svg+xml


 AddOutputFilterByType DEFLATE image/x-icon


 AddOutputFilterByType DEFLATE text/css


 AddOutputFilterByType DEFLATE text/html


 AddOutputFilterByType DEFLATE text/javascript


 AddOutputFilterByType DEFLATE text/plain


 AddOutputFilterByType DEFLATE text/xml


</IfModule>




答案1:

针对CVE-2012-4929的CRIME攻击是在不正确混淆未加密数据长度的情况下对压缩的标头进行加密,从而可以显示纯文本标头(通过猜测)。

在您的情况下,将压缩内容,将压缩数据的大小(长度)添加为另一个标头,然后将所有这些内容加密。这不会受到CRIME攻击,因为从未加密的数据的长度永远不会透露出来。



CAN  Apache  turn  SSL  
相关文章