DO NOT REPLY [Bug 23956] New: - mod_ssl should report actual OpenSSL version

20 Oct 2003 20:45:10 -0000 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23956>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23956

mod_ssl should report actual OpenSSL version

           Summary: mod_ssl should report actual OpenSSL version
           Product: Apache httpd-2.0
           Version: 2.0.47
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


mod_ssl (both 1.3.x and 2.x) currently uses the SSL_LIBRARY_TEXT define instead 
of the 
SSLeay_version() function to determine the version number of OpenSSL which it 
is using.

This is bad because here the mod_ssl binary is carrying the OpenSSL version 
number instead of 
querying the version of OpenSSL it's using.  This can lead to confusion 
(especailly security related), if 
for example an administrator patches OpenSSL to be 3.4.d instead of 3.4.a, to 
work around known 
mod_ssl related vulnerabilities in OpenSSL.

Even though the system has been properly patched, it will still report the old 
(mod_ssl compiled in) 
version number to Scanning software etc.

Our customers complained, and we have fixed the following in our version of 
Apache... however I feel 
this change would make sense up-stream as well.

I've attached a diff against 1.3.28:

The 2.1.x diff is nearly identical, only different line numbers.  Simply 
replace the one instance of 
"SSL_LIBRARY_TEXT" in ssl_engine_vars.c  with "SSLeay_version(SSLEAY_VERSION)".

Thanks for your time.

RCS file: /cvs/root/apache_mod_ssl/mod_ssl/pkg.sslmod/ssl_engine_vars.c,v
retrieving revision 1.1.1.8
diff -u -r1.1.1.8 ssl_engine_vars.c
--- ssl_engine_vars.c   2003/07/25 02:32:10     1.1.1.8
+++ ssl_engine_vars.c   2003/10/20 20:36:34
@@ -617,7 +617,7 @@
         result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
     }
     else if (strEQ(var, "LIBRARY")) {
-        result = ap_pstrdup(p, SSL_LIBRARY_TEXT);
+        result = ap_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
         if ((cp = strchr(result, ' ')) != NULL) {
             *cp = '/';
             if ((cp2 = strchr(cp, ' ')) != NULL)
cvs server: Diffing mod_ssl/pkg.sslsup

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to