From owner-freebsd-security@FreeBSD.ORG  Sat May 14 22:21:07 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BD78A16A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 14 May 2005 22:21:07 +0000 (GMT)
Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5A47143D68
	for <freebsd-security@freebsd.org>;
	Sat, 14 May 2005 22:21:06 +0000 (GMT)
	(envelope-from freebsd-security@dfmm.org)
Received: (qmail 31905 invoked by uid 1000); 14 May 2005 22:21:04 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 14 May 2005 22:21:04 -0000
Date: Sat, 14 May 2005 15:21:04 -0700 (PDT)
From: Jason Stone <freebsd-security@dfmm.org>
X-X-Sender: jason@treehorn.dfmm.org
To: Joe Schmoe <non_secure@yahoo.com>
In-Reply-To: <20050513155454.63841.qmail@web53302.mail.yahoo.com>
Message-ID: <20050514151248.J99949@treehorn.dfmm.org>
References: <20050513155454.63841.qmail@web53302.mail.yahoo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: freebsd-security@freebsd.org
Subject: Re: different ways to disable https in apache...
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 May 2005 22:21:07 -0000


> My question is, is starting the SSl enabled apache like this, and 
> running it without SSL exactly the same security-wise as running a copy 
> of apache without SSL at all ?

no, it is certainly not exactly the same.  as you note, you will still 
link against the openssl libraries, and even though you won't be directly 
calling functions in them, I can certainly imagine an exploit that could 
take advantage of their availability.

more importantly, mod_ssl modifies the apache module api, since the 
standard api in 1.3 was not powerful enought for ssl to just drop in like 
other modules - so the internal architecture of a mod_ssl/eapi-enabled 
apache will be noticeably different from that of a normal apache, even if 
all ssl functionality is disabled.

bottom line is, even if ssl functionality is turned off, it's still in 
there, and it increases the complexity of the server significantly.  and 
increased complexity almost always means decreased security.  if you're 
not using it, and don't have immediate plans to use it, don't build it.


  -Jason