[ANNOUNCE] mod_ssl 2.8.12
Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed maintainance version mod_ssl 2.8.12 is available for use with Apache 1.3.27. http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: SSL reverse proxy using certificates to IIS server
Claudio, I tried that but no change. Keith CAMPETTO CLAUDIO [EMAIL PROTECTED] writes: Try putting this line in the server config: SSLProxyProtocol SSLv3 Hope this helps. Claudio Campetto. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL - MS Proxy 2.0 - MSIE6
Dear all, I'm using: Apache 1.3.26 mod_ssl: 2.8.10 openSSL: 0.9.6g At the client site I use MSIE6 and I have a MS proxy 2.0. When I enable SSL the connections/communication is very slow. If I disable it, the site works perfect. Does anybody have an idea? thx Erwin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL - MS Proxy 2.0 - MSIE6
What spec do you have on the server and client? -Original Message- From: [EMAIL PROTECTED] [mailto:erwin.vogeleer;deltalloydLife.be] Sent: Mittwoch, 23. Oktober 2002 16:09 To: [EMAIL PROTECTED] Subject: SSL - MS Proxy 2.0 - MSIE6 Dear all, I'm using: Apache 1.3.26 mod_ssl: 2.8.10 openSSL: 0.9.6g At the client site I use MSIE6 and I have a MS proxy 2.0. When I enable SSL the connections/communication is very slow. If I disable it, the site works perfect. Does anybody have an idea? thx Erwin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL - MS Proxy 2.0 - MSIE6
The server is running NT4 and the clients XP and win2000. Boyle Owen [EMAIL PROTECTED]To: [EMAIL PROTECTED] mcc: Sent by: Subject: RE: SSL - MS Proxy 2.0 - MSIE6 owner-modssl-users @modssl.org 23/10/2002 16:19 Please respond to modssl-users What spec do you have on the server and client? -Original Message- From: [EMAIL PROTECTED] [mailto:erwin.vogeleer;deltalloydLife.be] Sent: Mittwoch, 23. Oktober 2002 16:09 To: [EMAIL PROTECTED] Subject: SSL - MS Proxy 2.0 - MSIE6 Dear all, I'm using: Apache 1.3.26 mod_ssl: 2.8.10 openSSL: 0.9.6g At the client site I use MSIE6 and I have a MS proxy 2.0. When I enable SSL the connections/communication is very slow. If I disable it, the site works perfect. Does anybody have an idea? thx Erwin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache_1.3.27 and ssl
Any suggestion on upgrade? We can run the same procedure or need to remove the old one first? Thanks Yi -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 22, 2002 4:40 PMTo: [EMAIL PROTECTED]Subject: Re: Apache_1.3.27 and sslHere's what we did: # notes to install and configure apache with modules, mod_perl, so # extract the packages $ gzip -d -c openssl-0.9.6a.tar.gz | tar xvf - !!! ## INSTALL openssl first !!! ## !!! $ gzip -d -c apache_1.3.x.tar.gz | tar xvf - $ gzip -d -c mod_ssl-2.8.x-1.3.x.tar.gz | tar xvf - $ gzip -d -c mod_perl-1.xx.tar.gz | tar xvf - # apply mod_ssl to Apache source tree cd mod_ssl* ./configure --with-apache=../apache_1.3.27 # apply mod_perl to Apache source tree # and build/install the Perl-side of mod_perl cd mod_perl-1.27 perl Makefile.PL EVERYTHING=1 APACHE_SRC=../apache_1.3.27/src USE_APACI=1 PREP_HTTPD=1 DO_HTTPD=1 make make install cd ../ # build/install Apache with mod_ssl and mod_perl cd apache_1.3.27 SSL_BASE=../openssl-0.9.6a ./configure --prefix=/usr/local/apache --enable-module=ssl --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-module=so make make certificate make install cd ../ Troy GarnerInformation Technology ManagerGulf Winds International, Inc.713.747.4909 x5753www.gwii.com leanne lai [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/22/2002 04:26 PM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:Apache_1.3.27 and sslDear All,I don't know whether this is the right place for asking this question but I am desperate :(I am trying to compile apache_1.3.27 and mod_ssl-2.8.11-1.3.27, however, apachec_1.3.27 does not seem to have "enable_module=ssl" option anymore in its congfigure script!!!Help!Thanks,Leanne__Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
RE: Apache_1.3.27 and ssl
We upgraded; we did not remove any prior versions. Troy Garner Information Technology Manager Gulf Winds International, Inc. 713.747.4909 x5753 www.gwii.com Kong, Yi - HPL [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/23/2002 09:49 AM Please respond to modssl-users To:'[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject:RE: Apache_1.3.27 and ssl Any suggestion on upgrade? We can run the same procedure or need to remove the old one first? Thanks Yi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 22, 2002 4:40 PM To: [EMAIL PROTECTED] Subject: Re: Apache_1.3.27 and ssl Here's what we did: # notes to install and configure apache with modules, mod_perl, so # extract the packages $ gzip -d -c openssl-0.9.6a.tar.gz | tar xvf - !!! ## INSTALL openssl first !!! ## !!! $ gzip -d -c apache_1.3.x.tar.gz | tar xvf - $ gzip -d -c mod_ssl-2.8.x-1.3.x.tar.gz | tar xvf - $ gzip -d -c mod_perl-1.xx.tar.gz | tar xvf - # apply mod_ssl to Apache source tree cd mod_ssl* ./configure --with-apache=../apache_1.3.27 # apply mod_perl to Apache source tree # and build/install the Perl-side of mod_perl cd mod_perl-1.27 perl Makefile.PL EVERYTHING=1 APACHE_SRC=../apache_1.3.27/src USE_APACI=1 PREP_HTTPD=1 DO_HTTPD=1 make make install cd ../ # build/install Apache with mod_ssl and mod_perl cd apache_1.3.27 SSL_BASE=../openssl-0.9.6a ./configure --prefix=/usr/local/apache --enable-module=ssl --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-module=so make make certificate make install cd ../ Troy Garner Information Technology Manager Gulf Winds International, Inc. 713.747.4909 x5753 www.gwii.com leanne lai [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/22/2002 04:26 PM Please respond to modssl-users To:[EMAIL PROTECTED] cc: Subject:Apache_1.3.27 and ssl Dear All, I don't know whether this is the right place for asking this question but I am desperate :( I am trying to compile apache_1.3.27 and mod_ssl-2.8.11-1.3.27, however, apachec_1.3.27 does not seem to have enable_module=ssl option anymore in its congfigure script!!! Help! Thanks, Leanne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ld.so.1: /apache/bin/httpd: fatal: libssl.so.0.9.6: open failed
Title: Message hello folks, --- Got trouble.. here is the details .. anyone see anything.. ./apachectl startsslSyntax error on line 238 of /apache/conf/httpd.conf:Cannot load /apache/libexec/libssl.so into server: ld.so.1: /apache/bin/httpd: fatal: libssl.so.0.9.6: open failed: No such file or directory./apachectl startssl: httpd could not be started Compile in modssl folder was: ./configure \"--with-apache=../apache_1.3.27" \"--with-ssl=/usr/local/ssl" \"$@" Compile in apache folder was: ./configure \"--with-layout=Apache" \"--verbose" \"--prefix=/apache" \"--server-uid=ars" \"--server-gid=dba" \"--with-perl=/usr/local/perl" \"--enable-module=most" \"--enable-shared=max" \"--enable-rule=SHARED_CORE" \"--enable-module=so" \"--enable-module=cgi" \"--enable-module=ssl" \"--disable-rule=SSL_COMPAT" \"--enable-rule=SSL_SDBM" \"$@" ---httpd.conf States from line 230 - 245 or so.. 234 LoadModule usertrack_module libexec/mod_usertrack.so 235 LoadModule unique_id_module libexec/mod_unique_id.so 236 LoadModule setenvif_module libexec/mod_setenvif.so 237 IfDefine SSL 238 LoadModule ssl_module libexec/libssl.so 239 /IfDefine 240 -- LS of ../libexec is -rw-r--r-- 1 root other 8373 Oct 23 16:25 httpd.exp-rwxr-xr-x 1 root other 22108 Oct 23 16:25 libhttpd.ep-rwxr-xr-x 2 root other 669008 Oct 23 16:25 libhttpd.so-rwxr-xr-x 2 root other 669008 Oct 23 16:25 libhttpd.so.1-rwxr-xr-x 1 root other 137680 Oct 23 16:25 libproxy.so-rwxr-xr-x 1 root other 276708 Oct 23 16:25 libssl.so-rwxr-xr-x 1 root other 9272 Oct 23 16:25 mod_access.so
Trivial bug: inappropriate use of free()
Hi, Mod_ssl uses free() inappropriately in several places, to free memory which has been previously allocated inside OpenSSL. Such memory should be freed with OPENSSL_free(), not with free(). There is usually no difference, but when allocation debugging is turned on in OpenSSL, or another allocator is used for some reason (OpenSSL has an option to do that), using free() can cause problems ranging from harder debugging to actually causing bugs. Note that most wrong free() calls (labeled free(cp*) below) are done for debugging printouts. But these are nevertheless potentially-serious oversights because that code *always* gets executed (a waste of its own, but that's another issue), not only when debugging (TRACE) logging is enabled. Wrong uses of free: (in mod_ssl-2.8.11-1.3.27) ssl_engine_ext.c: 4 calls to free(cp*) after X509_NAME_oneline(). ssl_engine_kernel.c:7 calls to free(cp*) after X509_NAME_oneline(). ssl_engine_vars.c: 2 calls to free(cp*) after X509_NAME_oneline(). ssl_util_ssl.c: 1 calls to free() after BN_bn2dec() I suggest that all these places should call OPENSSL_free() instead of free. Thanks, Nadav. -- Nadav Har'El| Wednesday, Oct 23 2002, 18 Heshvan 5763 [EMAIL PROTECTED] |- Phone: +972-53-245868, ICQ 13349191 |A smart man always covers his ass. A wise http://nadav.harel.org.il |man just keeps his pants on. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Building mod_SSL with SSL_EXPERIMENTAL in Win32!
Hi All, I am building mod_SSL with Apache 1.3.26 on Win32 using nCipher SSL accelerator. But I have some problem. I can use c:\openssl\openssl speed engine chil successfully. But when I want to build mod_SSL with SSL_EXPERIMENTAL option, but I found there is no such option in Win32 edition! Does any one have solution to this problem? EAST WIND TECHNOLOGIES, INC. ERIC LIN
[ANNOUNCE] mod_ssl 2.8.12
Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed maintainance version mod_ssl 2.8.12 is available for use with Apache 1.3.27. http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [ANNOUNCE] mod_ssl 2.8.12
Hi list, is there any information available regarding the mentioned potential Cross-Side-Scripting bug? (Any CERT/CC Advisory CA-x, BUGTRAQ-Messages etc...) Thanks in advance kind regards, B. Courtin -Original Message- From: Ralf S. Engelschall [mailto:rse;engelschall.com] Sent: Wednesday, October 23, 2002 11:15 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ANNOUNCE] mod_ssl 2.8.12 Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed maintainance version mod_ssl 2.8.12 is available for use with Apache 1.3.27. http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.12
On Wed, Oct 23, 2002 at 11:32:53AM +0200, Courtin Bert wrote: is there any information available regarding the mentioned potential Cross-Side-Scripting bug? (Any CERT/CC Advisory CA-x, BUGTRAQ-Messages etc...) Hi, here are the details: Versions of mod_ssl older than 2.8.12 suffer from a cross-site- scripting bug: mod_ssl will send the server name unescaped in the response to an HTTP request on an SSL port. This issue has been assigned CVE CAN-2002-1157. Like the other recent Apache XSS bugs, this only affects servers using a combination of UseCanonicalName off (not the default in 1.3) and wildcard DNS. Apache 2.0/mod_ssl is not vulnerable since it already escapes this HTML. Regards, joe -- Joe Orton, Red Hat Europe, Stronghold Engineering http://stronghold.redhat.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]