Re: mod_ssl 2.2.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 modssl is built into the 2.x.x apache versions. your consultant must be asking you to upgrade full apache versions. the 1.3.x apache tree still has a separate modssl base to add and build off of. This should not be a concern for you since you are running the newer apache tree. Thanks, Ron DuFresne On Tue, 1 Apr 2008, Sir June wrote: I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFH8lYmst+vzJSwZikRAm6YAJ9e9NwNJu8sGjuFE3CcnljNI3kVxgCfXl4x R0NJeZnoKQpRfqrff0Xir+o= =sIQZ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
"Ralf S. Engelschall" [EMAIL PROTECTED] writes: On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: [...] Is this the same re-start bug that's been around for a while? Oh wait, I forgot to ask in the last mail: What bug are _YOU_ speaking about? I reads like you know a restart bug which is around for a while which I'm not aware of. Do you have details for me? The DSO core dump bug. I thought this popped up when the server re-started, or was it just the double init round that triggered it? -Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
I, too, get this probem (http fine, no https) after a -HUP as well. My system is Solaris 2.6, compiled with egcs 1.1.1. I've tried with both SSLeay and OpenSSL, and both as a DSO and compiled into Apache. No matter what I do, https connections won't work after a -HUP to httpd (which means anything that uses 'apachectl restart', like log rotation scripts, breaks SSL connections). Error messages look like: for OpenSSL: [02/Mar/1999 00:02:57] [error] Unable to configure server certificate for connection (OpenSSL library error follows) [02/Mar/1999 00:02:57] [error] OpenSSL: error:140C3023:SSL routines:SSL_use_certificate:passed a null parameter for SSLeay: [25/Feb/1999 12:21:41] [error] Unable to configure server certificate for connection (SSLeay library error follows) [25/Feb/1999 12:21:41] [error] SSLeay: error:140C3023:SSL routines:SSL_use_certificate:reason(35) b -- % Baba Z Buehler % CANIS, Library and Information Sciences, University of Illinois % PGP Public Key available via WWW public key servers % WWW: http://www.uiuc.edu/~baba/ __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
On Tue, Mar 02, 1999, Ralf S. Engelschall wrote: On Tue, Mar 02, 1999, Sander Steffann wrote: Same problem here on Linux. https is also down after a graceful restart. Sander. mod_ssl/2.2.3 failed to restart(kill -HUP). After restarting, http is OK, but https is down. OS is Solaris2.6(on SS20). I'll investigate in a few hours. [...] Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4. Thanks for the hints. It was my fault because I've forgotten that OpenSSL's d2i_xx functions also change the data pointer (and not only i2d_xxx where I've finally done it correctly). I've to incorporate some experimental EAPI hooks for vendors before I can release 2.2.4 today or tomorrow, so I append you the essential patch below. Apply it to ssl_engine_kernel.c and your server should again survive restarts without problems. The patch is already comitted this way for mod_ssl 2.2.4. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Index: ssl_engine_init.c === RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_init.c,v retrieving revision 1.50 retrieving revision 1.52 diff -u -r1.50 -r1.52 --- ssl_engine_init.c 1999/02/21 16:40:07 1.50 +++ ssl_engine_init.c 1999/03/03 09:29:24 1.52 @@ -321,6 +321,7 @@ SSL_CTX *ctx; STACK *skCAList; ssl_asn1_t *asn1; +unsigned char *ucp; char *cp; /* @@ -454,7 +455,13 @@ "Init: (%s) Ops, can't find server certificate?!", cpVHostID); ssl_die(); } -sc-px509Certificate = d2i_X509(NULL, (asn1-cpData), asn1-nData); +ucp = asn1-cpData; +if ((sc-px509Certificate = d2i_X509(NULL, ucp, asn1-nData)) == NULL) { +ssl_log(s, SSL_LOG_ERROR, +"Init: (%s) Failed to convert server certificate " +"from DER to internal format?!", cpVHostID); +ssl_die(); +} /* * Configure server private key @@ -465,8 +472,14 @@ ssl_log(s, SSL_LOG_ERROR, "Init: (%s) Ops, can't find server private key?!", cpVHostID); ssl_die(); +} +ucp = asn1-cpData; +if ((sc-prsaKey = d2i_RSAPrivateKey(NULL, ucp, asn1-nData)) == NULL) { +ssl_log(s, SSL_LOG_ERROR, +"Init: (%s) Failed to convert server private key " +"from DER to internal format?!", cpVHostID); +ssl_die(); } -sc-prsaKey = d2i_RSAPrivateKey(NULL, (asn1-cpData), asn1-nData); return; } __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
On Tue, Mar 02, 1999, Ilya Obshadko wrote: [...] I use OpenSSL instead of SSLeay (SSLeay can't be compiled on FreeBSD 3.1R). Oh, SSLeay can be compiled under FreeBSD 3.1, of course. All you need is an adjusted entry in the Configure script because FreeBSD 3.1 uses ELF instead of a.out. Just add the following line after the ``"FreeBSD", ...'' line in SSLeay's Configure script and use ``perl Configure FreeBSD-elf''. "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: mod_ssl 2.2.3 restart bug?
I, too, get this probem (http fine, no https) after a -HUP as well. My system is Solaris 2.6, compiled with egcs 1.1.1. I've tried with both SSLeay and OpenSSL, and both as a DSO and compiled into Apache. No matter what I do, https connections won't work after a -HUP to httpd (which means anything that uses 'apachectl restart', like log rotation scripts, breaks SSL connections). Error messages look like: for OpenSSL: [02/Mar/1999 00:02:57] [error] Unable to configure server certificate for connection (OpenSSL library error follows) [02/Mar/1999 00:02:57] [error] OpenSSL: error:140C3023:SSL routines:SSL_use_certificate:passed a null parameter for SSLeay: [25/Feb/1999 12:21:41] [error] Unable to configure server certificate for connection (SSLeay library error follows) [25/Feb/1999 12:21:41] [error] SSLeay: error:140C3023:SSL routines:SSL_use_certificate:reason(35) I think this may be a bug in Apache it's self as my set up, Apache/1.3.4 mod_ssl/2.1.7 SSLeay/0.9.0b Hangs when ever I issue an HUP signal. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
mod_ssl/2.2.3 failed to restart(kill -HUP). After restarting, http is OK, but https is down. OS is Solaris2.6(on SS20). I'll investigate in a few hours. Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4. Thanks for the hints. It was my fault because I've forgotten that OpenSSL's d2i_xx functions also change the data pointer (and not only i2d_xxx where I've finally done it correctly). I've to incorporate some experimental EAPI hooks for vendors before I can release 2.2.4 today or tomorrow, so I append you the essential patch below. Apply it to ssl_engine_kernel.c and your server should again survive restarts without problems. The patch is already comitted this way for mod_ssl 2.2.4. My server survive restarts without problem!! Thank you. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
On Wed, Mar 03, 1999, Juergen Rensen wrote: It doesn't hang with mod_ssl-2.2.3-1.3.4/SSLeay0.9.0b and Apache 1.3.4; SSL connections just don't work anymore after sending the HUP signal, normal http is still OK (on Linux). Fine, and with my posted patch (or mod_ssl 2.2.4) also the broken HTTPS after a restart is fixed. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
On Wed, Mar 03, 1999, Ilya Obshadko wrote: RSE a.out. Just add the following line after the ``"FreeBSD", ...'' line in RSE SSLeay's Configure script and use ``perl Configure FreeBSD-elf''. RSE "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", Thanks for the hint. Which library is better, in your opinion - SSLeay or OpenSSL? Just kidding, yeah? OpenSSL, of course ;-) Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
"Ralf S. Engelschall" [EMAIL PROTECTED] writes: On Tue, Mar 02, 1999, Ralf S. Engelschall wrote: On Tue, Mar 02, 1999, Sander Steffann wrote: Same problem here on Linux. https is also down after a graceful restart. Sander. mod_ssl/2.2.3 failed to restart(kill -HUP). After restarting, http is OK, but https is down. OS is Solaris2.6(on SS20). I'll investigate in a few hours. [...] Ok, I've now found and successfully fixed this problem for mod_ssl 2.2.4. Is this the same re-start bug that's been around for a while? At what point was this bug introduced? As of the very first EAPI based mod_ssl? Would it be possible to get a synopsis of what needs to be done to get rid of this bug? I have mod_ssl 2.1.3 that I have all hacked up, and would prefer to simply patch it, as opposed to upgrade to the latest, and re-hack it all up. It would be a real pain, for me, to have to always upgrade to the latest mod_ssl to get a bug fix especially when I do not need any new features. Much Thanks, Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Restarts fixed (was: Re: mod_ssl 2.2.3 restart bug?)
On Wed, Mar 03, 1999, [EMAIL PROTECTED] wrote: [...] Is this the same re-start bug that's been around for a while? Oh wait, I forgot to ask in the last mail: What bug are _YOU_ speaking about? I reads like you know a restart bug which is around for a while which I'm not aware of. Do you have details for me? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
Same problem here on Linux. https is also down after a graceful restart. Sander. -Original Message- From: Toru Takinaka [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: dinsdag 2 maart 1999 8:02 Subject: mod_ssl 2.2.3 restart bug? mod_ssl/2.2.3 failed to restart(kill -HUP). After restarting, http is OK, but https is down. OS is Solaris2.6(on SS20). __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
Hi Ralf, The log shows: httpd: [Tue Mar 2 10:52:12 1999] [error] mod_ssl: Unable to configure server certificate for connection (SSLeay library error follows) httpd: [Tue Mar 2 10:52:12 1999] [error] SSLeay: error:140C3023:SSL routines:SSL_use_certificate:reason(35) Hope this helps, Sander. -Original Message- From: Ralf S. Engelschall [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: dinsdag 2 maart 1999 11:14 Subject: Re: mod_ssl 2.2.3 restart bug? On Tue, Mar 02, 1999, Sander Steffann wrote: Same problem here on Linux. https is also down after a graceful restart. Sander. mod_ssl/2.2.3 failed to restart(kill -HUP). After restarting, http is OK, but https is down. OS is Solaris2.6(on SS20). I'll investigate in a few hours. Currently I'm still totally busy with some system installations... BTW, are there any errors in the error log (cannot open logfile, etc.)? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
mod_ssl/2.2.3 failed to restart(kill -HUP). After restarting, http is OK, but https is down. OS is Solaris2.6(on SS20). I'll investigate in a few hours. Currently I'm still totally busy with some system installations... BTW, are there any errors in the error log (cannot open logfile, etc.)? There are no other errors in the error log. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.3 restart bug?
mod_ssl/2.2.3 failed to restart(kill -HUP). There are no other errors in the error log. Restart does'nt work. But stop and startssl work(with entering pass phrase). __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]