Date: Thu, 1 Aug 2002 08:47:45 -0400 (EDT) From: Brian Sneddon <annorax@cereal.rutgers.edu> To: stable@FreeBSD.ORG Subject: Re: OpenSSL in apache-modssl package Message-ID: <Pine.GSO.4.21.0208010844280.28444-100000@cereal.rutgers.edu> In-Reply-To: <37479.1028201109@thrush.ravenbrook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Have you tried: ldd /usr/local/sbin/httpd (or whereever yours is installed) This should show you whether it's linked dynamically and if so to which specific library. Brian On Thu, 1 Aug 2002, Nick Barnes wrote: > I have a machine running 4.6-RELEASE-p2. I'm upgrading to 4.6-RELENG > because of the recent flurry of advisories. > > Among other services, I'm running Apache with mod_ssl, installed as a > package: > > apache+mod_ssl-1.3.26+2.8.10 > apache-1.3.26_3 > > I'm concerned about this in the light of the recent OpenSSL advisory. > Can anyone advise me on securing this installation? I have my own > musings on the subject, below, but I would like to get a consensus > answer. > > There doesn't seem to be a more recent mod_ssl package available. > > The mod_ssl site says that the current release is 2.8.10 for Apache > 1.3.26, which is what I have. > > The files in /usr/ports/www/apache13-modssl haven't changed for a while. > > The OpenSSL site says that I need OpenSSL 0.9.6e. > > I don't know how to tell whether mod_ssl includes its own copy of > OpenSSL or links with the system OpenSSL library, and (if the latter) > whether it does so statically or dynamically. If it links dynamically > with the system OpenSSL (/usr/lib/libssl.so.2), then the upgrade to > 4.6-RELENG will secure it. However, the package includes > /usr/local/libexec/apache/libssl.so, which looks to me as if it is, > exactly, OpenSSL (0.9.6a, apparently, based on the output of > "strings"). So maybe mod_ssl is dynamically linking with this version > of OpenSSL. If so, can I simply replace this file with a copy of > /usr/lib/libssl.so, after the upgrade? > > The OpenSSL advisory says that I can work around the vulnerabilities > on a server by turning off version 2 of the SSL protocol. Can I do > that simply by changing the SSLCipherSuite line in httpd.conf? If so, > will the reduced server capability adversely affect security? > > Nick B > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.21.0208010844280.28444-100000>