From owner-freebsd-stable Thu Aug 1 4:24:25 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6148837B401 for ; Thu, 1 Aug 2002 04:24:20 -0700 (PDT) Received: from raven.ravenbrook.com (raven.ravenbrook.com [193.82.131.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1C7243E88 for ; Thu, 1 Aug 2002 04:24:16 -0700 (PDT) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (thrush.ravenbrook.com [193.112.141.249]) by raven.ravenbrook.com (8.11.6/8.11.6) with ESMTP id g71BODW83840 for ; Thu, 1 Aug 2002 12:24:13 +0100 (BST) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (localhost [127.0.0.1]) by thrush.ravenbrook.com (8.12.2/8.12.2) with ESMTP id g71BP9UK037480 for ; Thu, 1 Aug 2002 12:25:09 +0100 (BST) (envelope-from nb@thrush.ravenbrook.com) From: Nick Barnes To: stable@freebsd.org Subject: OpenSSL in apache-modssl package Date: Thu, 01 Aug 2002 12:25:09 +0100 Message-ID: <37479.1028201109@thrush.ravenbrook.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a machine running 4.6-RELEASE-p2. I'm upgrading to 4.6-RELENG because of the recent flurry of advisories. Among other services, I'm running Apache with mod_ssl, installed as a package: apache+mod_ssl-1.3.26+2.8.10 apache-1.3.26_3 I'm concerned about this in the light of the recent OpenSSL advisory. Can anyone advise me on securing this installation? I have my own musings on the subject, below, but I would like to get a consensus answer. There doesn't seem to be a more recent mod_ssl package available. The mod_ssl site says that the current release is 2.8.10 for Apache 1.3.26, which is what I have. The files in /usr/ports/www/apache13-modssl haven't changed for a while. The OpenSSL site says that I need OpenSSL 0.9.6e. I don't know how to tell whether mod_ssl includes its own copy of OpenSSL or links with the system OpenSSL library, and (if the latter) whether it does so statically or dynamically. If it links dynamically with the system OpenSSL (/usr/lib/libssl.so.2), then the upgrade to 4.6-RELENG will secure it. However, the package includes /usr/local/libexec/apache/libssl.so, which looks to me as if it is, exactly, OpenSSL (0.9.6a, apparently, based on the output of "strings"). So maybe mod_ssl is dynamically linking with this version of OpenSSL. If so, can I simply replace this file with a copy of /usr/lib/libssl.so, after the upgrade? The OpenSSL advisory says that I can work around the vulnerabilities on a server by turning off version 2 of the SSL protocol. Can I do that simply by changing the SSLCipherSuite line in httpd.conf? If so, will the reduced server capability adversely affect security? Nick B To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message