Mr. Salz - You bring up excellent points!
I must admit that since this is a personal server sitting in my home (albeit used by my wife for consulting work of hers), I do allow for contradictory goals to exist. Part of my desire is to avoid *known* security vulnerabilities. As to the unknown ones (created by running newest versions of software, naturally), my desire to be up to date on the latest open source programs trumps the quite valid concern you raise, which I would adhere to religiously in any commercial or production setting. As to static linking, I absolutely agree. I admit that I had not noticed before this debugging session that mod_ssl for httpd was loaded dynamically. That did surprise me, and is one of the reasons I am not fretting too much about leaving it that way for now. However, there is still a bug out there - either in my configuration having an error that is exposed with 1.0.1e but dealt with (intentionally or not) in 1.0.1c, or there is some corner case error in either OpenSSL 1.0.1e, or one of the packages it relies on, or in the build chain. (I doubt the build chain, as it remains the same in both the 'c' and 'e' cases.) Either way, it will be interesting to track this down, so I will try the dynamic loading of mod_ssl again at some point(part of the fun of running this server in my home is tracking these things down when they come up - as I do enjoy this.) Thank you for bringing these good points up! Joel On Tue, February 19, 2013 7:48 am, Salz, Rich wrote: >> Since my goal is a running system with no known security >> vulnerabilities ... I have a habit of wanting to use the 'latest >> everything' as I check versions of software on my server once every few >> weeks. > > These two items contradict each other. If you want a secure system, you > should only upgrade (a) if vulnerabilities come out that require it; or > (b) there are new features that you absolutely must have. And you also > might want to think about why static libraries are (at least > theoretically) more secure than shared libraries. > > /r$ > > > -- > Principal Security Engineer > Akamai Technology > Cambridge, MA > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
