Date: Thu, 01 Aug 2002 13:57:00 +0100 From: Nick Barnes <Nick.Barnes@pobox.com> To: Brian Sneddon <annorax@cereal.rutgers.edu> Cc: stable@FreeBSD.ORG Subject: Re: OpenSSL in apache-modssl package Message-ID: <37848.1028206620@thrush.ravenbrook.com> In-Reply-To: Message from Brian Sneddon <annorax@cereal.rutgers.edu> of "Thu, 01 Aug 2002 08:47:45 EDT." <Pine.GSO.4.21.0208010844280.28444-100000@cereal.rutgers.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 2002-08-01 12:47:45+0000, Brian Sneddon writes: > Have you tried: > > ldd /usr/local/sbin/httpd (or whereever yours is installed) > > This should show you whether it's linked dynamically and if so to which > specific library. Yes, I thought of that. But of course the modules (e.g. mod_ssl) are loaded with dlopen(). By running "ktrace /usr/local/sbin/httpd -DSSL", I can see that it maps /usr/lib/libssl.so.2. That's strong enough evidence for me, and I'm guessing that /usr/local/libexec/apache/libssl.so is something other than OpenSSL. Nick B > > > Brian > > > On Thu, 1 Aug 2002, Nick Barnes wrote: > > > I have a machine running 4.6-RELEASE-p2. I'm upgrading to 4.6-RELENG > > because of the recent flurry of advisories. > > > > Among other services, I'm running Apache with mod_ssl, installed as a > > package: > > > > apache+mod_ssl-1.3.26+2.8.10 > > apache-1.3.26_3 > > > > I'm concerned about this in the light of the recent OpenSSL advisory. > > Can anyone advise me on securing this installation? I have my own > > musings on the subject, below, but I would like to get a consensus > > answer. > > > > There doesn't seem to be a more recent mod_ssl package available. > > > > The mod_ssl site says that the current release is 2.8.10 for Apache > > 1.3.26, which is what I have. > > > > The files in /usr/ports/www/apache13-modssl haven't changed for a while. > > > > The OpenSSL site says that I need OpenSSL 0.9.6e. > > > > I don't know how to tell whether mod_ssl includes its own copy of > > OpenSSL or links with the system OpenSSL library, and (if the latter) > > whether it does so statically or dynamically. If it links dynamically > > with the system OpenSSL (/usr/lib/libssl.so.2), then the upgrade to > > 4.6-RELENG will secure it. However, the package includes > > /usr/local/libexec/apache/libssl.so, which looks to me as if it is, > > exactly, OpenSSL (0.9.6a, apparently, based on the output of > > "strings"). So maybe mod_ssl is dynamically linking with this version > > of OpenSSL. If so, can I simply replace this file with a copy of > > /usr/lib/libssl.so, after the upgrade? > > > > The OpenSSL advisory says that I can work around the vulnerabilities > > on a server by turning off version 2 of the SSL protocol. Can I do > > that simply by changing the SSLCipherSuite line in httpd.conf? If so, > > will the reduced server capability adversely affect security? > > > > Nick B > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37848.1028206620>