From owner-freebsd-security@FreeBSD.ORG  Fri May 13 15:54:55 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4FFFB16A4CE
	for <freebsd-security@freebsd.org>;
	Fri, 13 May 2005 15:54:55 +0000 (GMT)
Received: from web53302.mail.yahoo.com (web53302.mail.yahoo.com
	[206.190.39.231])
	by mx1.FreeBSD.org (Postfix) with SMTP id D06B543D66
	for <freebsd-security@freebsd.org>;
	Fri, 13 May 2005 15:54:54 +0000 (GMT)
	(envelope-from non_secure@yahoo.com)
Received: (qmail 63843 invoked by uid 60001); 13 May 2005 15:54:54 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=s1024; d=yahoo.com;
	b=u7ErIMaC+Pfcs31P0MxGpVV1HYwHpythIsL5j2rtoCa0mP9+JQwL7o5Xy8vQWqowk9zdL/N/xvP9Yt8eui74E86JudJswx7tm7TpIkGhEBVwKHDliJxRUKjFA0gzX4urXcMGIAprhgpDEBTj6SyCaYmrgZwf6zvnJHQFin14kIc=
	;
Message-ID: <20050513155454.63841.qmail@web53302.mail.yahoo.com>
Received: from [140.209.242.255] by web53302.mail.yahoo.com via HTTP;
	Fri, 13 May 2005 08:54:54 PDT
Date: Fri, 13 May 2005 08:54:54 -0700 (PDT)
From: Joe Schmoe <non_secure@yahoo.com>
To: freebsd-security@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailman-Approved-At: Sat, 14 May 2005 12:46:32 +0000
Subject: different ways to disable https in apache...
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2005 15:54:55 -0000

Hello,

I built apache+openssl+mod_ssl.  It is working fine,
and I have been starting the server with:

apachectl startssl

Recently, however, I have decided that I will not be
doing anything over https (for a while, at least) with
this web server, so for security reasons, I want to
only run on port 80.

So now I start the server with:

apachectl start

And it runs without SSL.  My question is, is starting
the SSl enabled apache like this, and running it
without SSL exactly the same security-wise as running
a copy of apache without SSL at all ?  That is, SSL
libraries, etc., can have vulnerabilities in them, and
am I still vulnerable to those problems even if I am
running only on port 80 ?

What kinds of attacks might I _not_ be insulating
myself against by simply not running SSL, vs.
reinstalling without it ?

thanks,


		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail