Date: Sat, 14 May 2005 15:21:04 -0700 (PDT) From: Jason Stone <freebsd-security@dfmm.org> To: Joe Schmoe <non_secure@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: different ways to disable https in apache... Message-ID: <20050514151248.J99949@treehorn.dfmm.org> In-Reply-To: <20050513155454.63841.qmail@web53302.mail.yahoo.com> References: <20050513155454.63841.qmail@web53302.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> My question is, is starting the SSl enabled apache like this, and > running it without SSL exactly the same security-wise as running a copy > of apache without SSL at all ? no, it is certainly not exactly the same. as you note, you will still link against the openssl libraries, and even though you won't be directly calling functions in them, I can certainly imagine an exploit that could take advantage of their availability. more importantly, mod_ssl modifies the apache module api, since the standard api in 1.3 was not powerful enought for ssl to just drop in like other modules - so the internal architecture of a mod_ssl/eapi-enabled apache will be noticeably different from that of a normal apache, even if all ssl functionality is disabled. bottom line is, even if ssl functionality is turned off, it's still in there, and it increases the complexity of the server significantly. and increased complexity almost always means decreased security. if you're not using it, and don't have immediate plans to use it, don't build it. -Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050514151248.J99949>