Re: Does Mod_SSL use SSL_get_shared_ciphers()?

[Per Olausson]

So what are the next steps...is this being highlighted as a risk anywhere?
I am surprised that this doesn't get onto the main security page if it 
is a risk...how else would anyone find out about it and take 
preventative measures?

Regards,


Per

Phil Ehrens wrote:
Interesting. Must be an Apache 2.2.X thing. The symbol
definitely does not appear in 2.0.55.

Per Olausson wrote:
  
Phil,

Is it the way I am building Apache or is Linux or Solaris hiding this
symbol? I've checked this on a gentoo build, but on my machine the
module has no symbols.

Details as below:

Apache/2.2.3
OpenSSL 0.9.8c
AIX 5200-09
*
nm mod_ssl.so | grep SSL_get_shared_ciphers
.SSL_get_shared_ciphers T   269028692
.SSL_get_shared_ciphers_139_116 t   269031772*

nm(1):

T Global text symbol.
t Local text symbol.

Regards,


Per

Phil Ehrens wrote:
    
Per Olausson wrote:
 
      
Phil Ehrens:
I just checked a couple different versions and did not see that
function.
     
          
I posted a question about this to the apache security mailbox, but 
nobody responded. I guess that is inline with the policy for that 
mailbox even if I find it somewhat unhelpful, considering that SSL isn't 
completely a rarity when using Apache.

The reason I am concerned is because mod_ssl indirectly references 
SSL_get_shared_ciphers. It is in use. You can see this if you use 
something like nm and grep for this function.

So is mod_ssl vulnerable? Is the functionality insulated and not 
possible to trigger from the mod_ssl user scenario, or is it?

If anyone have any ideas please let me know!
   
        
The symbol is not defined in mod_ssl on any of my Linux or Solaris
systems, all of which are running Apache-2.0.55. What version are
you looking at?
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]
 
      
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]
    

  

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]