Date: Thu, 01 Aug 2002 12:25:09 +0100 From: Nick Barnes <Nick.Barnes@pobox.com> To: stable@freebsd.org Subject: OpenSSL in apache-modssl package Message-ID: <37479.1028201109@thrush.ravenbrook.com>
next in thread | raw e-mail | index | archive | help
I have a machine running 4.6-RELEASE-p2. I'm upgrading to 4.6-RELENG because of the recent flurry of advisories. Among other services, I'm running Apache with mod_ssl, installed as a package: apache+mod_ssl-1.3.26+2.8.10 apache-1.3.26_3 I'm concerned about this in the light of the recent OpenSSL advisory. Can anyone advise me on securing this installation? I have my own musings on the subject, below, but I would like to get a consensus answer. There doesn't seem to be a more recent mod_ssl package available. The mod_ssl site says that the current release is 2.8.10 for Apache 1.3.26, which is what I have. The files in /usr/ports/www/apache13-modssl haven't changed for a while. The OpenSSL site says that I need OpenSSL 0.9.6e. I don't know how to tell whether mod_ssl includes its own copy of OpenSSL or links with the system OpenSSL library, and (if the latter) whether it does so statically or dynamically. If it links dynamically with the system OpenSSL (/usr/lib/libssl.so.2), then the upgrade to 4.6-RELENG will secure it. However, the package includes /usr/local/libexec/apache/libssl.so, which looks to me as if it is, exactly, OpenSSL (0.9.6a, apparently, based on the output of "strings"). So maybe mod_ssl is dynamically linking with this version of OpenSSL. If so, can I simply replace this file with a copy of /usr/lib/libssl.so, after the upgrade? The OpenSSL advisory says that I can work around the vulnerabilities on a server by turning off version 2 of the SSL protocol. Can I do that simply by changing the SSLCipherSuite line in httpd.conf? If so, will the reduced server capability adversely affect security? Nick B To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37479.1028201109>