From owner-freebsd-stable Thu Aug 1 5:56:30 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21E0337B401 for ; Thu, 1 Aug 2002 05:56:08 -0700 (PDT) Received: from raven.ravenbrook.com (raven.ravenbrook.com [193.82.131.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9A0043E72 for ; Thu, 1 Aug 2002 05:56:06 -0700 (PDT) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (thrush.ravenbrook.com [193.112.141.249]) by raven.ravenbrook.com (8.11.6/8.11.6) with ESMTP id g71Cu3W84439; Thu, 1 Aug 2002 13:56:03 +0100 (BST) (envelope-from nb@ravenbrook.com) Received: from thrush.ravenbrook.com (localhost [127.0.0.1]) by thrush.ravenbrook.com (8.12.2/8.12.2) with ESMTP id g71Cv0UK037849; Thu, 1 Aug 2002 13:57:00 +0100 (BST) (envelope-from nb@thrush.ravenbrook.com) From: Nick Barnes To: Brian Sneddon Cc: stable@FreeBSD.ORG Subject: Re: OpenSSL in apache-modssl package In-Reply-To: Message from Brian Sneddon of "Thu, 01 Aug 2002 08:47:45 EDT." Date: Thu, 01 Aug 2002 13:57:00 +0100 Message-ID: <37848.1028206620@thrush.ravenbrook.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 2002-08-01 12:47:45+0000, Brian Sneddon writes: > Have you tried: > > ldd /usr/local/sbin/httpd (or whereever yours is installed) > > This should show you whether it's linked dynamically and if so to which > specific library. Yes, I thought of that. But of course the modules (e.g. mod_ssl) are loaded with dlopen(). By running "ktrace /usr/local/sbin/httpd -DSSL", I can see that it maps /usr/lib/libssl.so.2. That's strong enough evidence for me, and I'm guessing that /usr/local/libexec/apache/libssl.so is something other than OpenSSL. Nick B > > > Brian > > > On Thu, 1 Aug 2002, Nick Barnes wrote: > > > I have a machine running 4.6-RELEASE-p2. I'm upgrading to 4.6-RELENG > > because of the recent flurry of advisories. > > > > Among other services, I'm running Apache with mod_ssl, installed as a > > package: > > > > apache+mod_ssl-1.3.26+2.8.10 > > apache-1.3.26_3 > > > > I'm concerned about this in the light of the recent OpenSSL advisory. > > Can anyone advise me on securing this installation? I have my own > > musings on the subject, below, but I would like to get a consensus > > answer. > > > > There doesn't seem to be a more recent mod_ssl package available. > > > > The mod_ssl site says that the current release is 2.8.10 for Apache > > 1.3.26, which is what I have. > > > > The files in /usr/ports/www/apache13-modssl haven't changed for a while. > > > > The OpenSSL site says that I need OpenSSL 0.9.6e. > > > > I don't know how to tell whether mod_ssl includes its own copy of > > OpenSSL or links with the system OpenSSL library, and (if the latter) > > whether it does so statically or dynamically. If it links dynamically > > with the system OpenSSL (/usr/lib/libssl.so.2), then the upgrade to > > 4.6-RELENG will secure it. However, the package includes > > /usr/local/libexec/apache/libssl.so, which looks to me as if it is, > > exactly, OpenSSL (0.9.6a, apparently, based on the output of > > "strings"). So maybe mod_ssl is dynamically linking with this version > > of OpenSSL. If so, can I simply replace this file with a copy of > > /usr/lib/libssl.so, after the upgrade? > > > > The OpenSSL advisory says that I can work around the vulnerabilities > > on a server by turning off version 2 of the SSL protocol. Can I do > > that simply by changing the SSLCipherSuite line in httpd.conf? If so, > > will the reduced server capability adversely affect security? > > > > Nick B > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message