How to disable the use of SSL compression on HTTP-TLS interfaces on the device.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to disable the use of SSL compression on HTTP-TLS interfaces on the device.

Dear All,

Please help me on this issue. The IT Security Audit team has scanned the PaloAlto Firewall PA-2050 and they found this vulnerability:

*********************************************************************************************************

62565 (1) - TLS CRIME Vulnerability

Synopsis:

The remote service has a configuration that may make it vulnerable to the CRIME attack.

Description:

The remote service has one of two configurations that are known to be required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Solution:

Disable compression and / or the SPDY service.

Risk Factor:

Medium

*********************************************************************************************************

According to the document from PaloAlto "PAN-OS 5.0.3: Release Notes > Addressed Issues"  there is:

47813 -- Made a change to disable the use of SSL compression on HTTP-TLS interfaces on the device.

So, How can we disable this SSL compression?

Regards,

Aniz

1 REPLY 1

L5 Sessionator

Hello Aniz,

SPDY feature can be disabled in Chrome's browser properties.

Please refer the following document:

Chrome Version 21 Unable to Make SSL Connections to google.com Destinations

Let me know if that helps you!

Thanks and regards,
Kunal Adak

  • 5972 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!