From owner-freebsd-stable Thu Aug 1 5:50:13 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A53ED37B4A2 for ; Thu, 1 Aug 2002 05:48:59 -0700 (PDT) Received: from cereal.rutgers.edu (cereal.rutgers.edu [165.230.140.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id A304A4404E for ; Thu, 1 Aug 2002 05:47:49 -0700 (PDT) (envelope-from annorax@cereal.rutgers.edu) Received: from localhost (annorax@localhost) by cereal.rutgers.edu (8.10.2+Sun/8.10.2) with ESMTP id g71Clm728838 for ; Thu, 1 Aug 2002 08:47:48 -0400 (EDT) Date: Thu, 1 Aug 2002 08:47:45 -0400 (EDT) From: Brian Sneddon To: stable@FreeBSD.ORG Subject: Re: OpenSSL in apache-modssl package In-Reply-To: <37479.1028201109@thrush.ravenbrook.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Have you tried: ldd /usr/local/sbin/httpd (or whereever yours is installed) This should show you whether it's linked dynamically and if so to which specific library. Brian On Thu, 1 Aug 2002, Nick Barnes wrote: > I have a machine running 4.6-RELEASE-p2. I'm upgrading to 4.6-RELENG > because of the recent flurry of advisories. > > Among other services, I'm running Apache with mod_ssl, installed as a > package: > > apache+mod_ssl-1.3.26+2.8.10 > apache-1.3.26_3 > > I'm concerned about this in the light of the recent OpenSSL advisory. > Can anyone advise me on securing this installation? I have my own > musings on the subject, below, but I would like to get a consensus > answer. > > There doesn't seem to be a more recent mod_ssl package available. > > The mod_ssl site says that the current release is 2.8.10 for Apache > 1.3.26, which is what I have. > > The files in /usr/ports/www/apache13-modssl haven't changed for a while. > > The OpenSSL site says that I need OpenSSL 0.9.6e. > > I don't know how to tell whether mod_ssl includes its own copy of > OpenSSL or links with the system OpenSSL library, and (if the latter) > whether it does so statically or dynamically. If it links dynamically > with the system OpenSSL (/usr/lib/libssl.so.2), then the upgrade to > 4.6-RELENG will secure it. However, the package includes > /usr/local/libexec/apache/libssl.so, which looks to me as if it is, > exactly, OpenSSL (0.9.6a, apparently, based on the output of > "strings"). So maybe mod_ssl is dynamically linking with this version > of OpenSSL. If so, can I simply replace this file with a copy of > /usr/lib/libssl.so, after the upgrade? > > The OpenSSL advisory says that I can work around the vulnerabilities > on a server by turning off version 2 of the SSL protocol. Can I do > that simply by changing the SSLCipherSuite line in httpd.conf? If so, > will the reduced server capability adversely affect security? > > Nick B > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message