Re: Does Mod_SSL use SSL_get_shared_ciphers()?

2006-10-25 Thread Phil Ehrens 
Interesting. Must be an Apache 2.2.X thing. The symbol
definitely does not appear in 2.0.55.

Per Olausson wrote:
> 
> Phil,
> 
> Is it the way I am building Apache or is Linux or Solaris hiding this
> symbol? I've checked this on a gentoo build, but on my machine the
> module has no symbols.
> 
> Details as below:
> 
> Apache/2.2.3
> OpenSSL 0.9.8c
> AIX 5200-09
> *
> nm mod_ssl.so | grep SSL_get_shared_ciphers
> .SSL_get_shared_ciphers T   269028692
> .SSL_get_shared_ciphers_139_116 t   269031772*
> 
> nm(1):
> 
> T Global text symbol.
> t Local text symbol.
> 
> Regards,
> 
> 
> Per
> 
> Phil Ehrens wrote:
> >Per Olausson wrote:
> >  
> >>>Phil Ehrens:
> >>>I just checked a couple different versions and did not see that
> >>>function.
> >>>  
> >>I posted a question about this to the apache security mailbox, but 
> >>nobody responded. I guess that is inline with the policy for that 
> >>mailbox even if I find it somewhat unhelpful, considering that SSL isn't 
> >>completely a rarity when using Apache.
> >>
> >>The reason I am concerned is because mod_ssl indirectly references 
> >>SSL_get_shared_ciphers. It is in use. You can see this if you use 
> >>something like nm and grep for this function.
> >>
> >>So is mod_ssl vulnerable? Is the functionality insulated and not 
> >>possible to trigger from the mod_ssl user scenario, or is it?
> >>
> >>If anyone have any ideas please let me know!
> >>
> >
> >The symbol is not defined in mod_ssl on any of my Linux or Solaris
> >systems, all of which are running Apache-2.0.55. What version are
> >you looking at?
> >__
> >Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> >User Support Mailing List  modssl-users@modssl.org
> >Automated List Manager[EMAIL PROTECTED]
> >  
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Manager[EMAIL PROTECTED]

-- 
Phil Ehrens <[EMAIL PROTECTED]>| Fun stuff:
The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org
California Institute of Technology| http://www.trenchman.com
1200 East California Blvd.| http://www.tokyotosho.com
Pasadena, CA 91125 USA| My gpg public key:
Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

2006-10-25 Thread Per Olausson 


Phil,

Is it the way I am building Apache or is Linux or Solaris hiding this
symbol? I've checked this on a gentoo build, but on my machine the
module has no symbols.

Details as below:

Apache/2.2.3
OpenSSL 0.9.8c
AIX 5200-09
*
nm mod_ssl.so | grep SSL_get_shared_ciphers
.SSL_get_shared_ciphers T   269028692
.SSL_get_shared_ciphers_139_116 t   269031772*

nm(1):

T Global text symbol.
t Local text symbol.

Regards,


Per

Phil Ehrens wrote:

Per Olausson wrote:
  

Phil Ehrens:
I just checked a couple different versions and did not see that
function.
  
I posted a question about this to the apache security mailbox, but 
nobody responded. I guess that is inline with the policy for that 
mailbox even if I find it somewhat unhelpful, considering that SSL isn't 
completely a rarity when using Apache.


The reason I am concerned is because mod_ssl indirectly references 
SSL_get_shared_ciphers. It is in use. You can see this if you use 
something like nm and grep for this function.


So is mod_ssl vulnerable? Is the functionality insulated and not 
possible to trigger from the mod_ssl user scenario, or is it?


If anyone have any ideas please let me know!



The symbol is not defined in mod_ssl on any of my Linux or Solaris
systems, all of which are running Apache-2.0.55. What version are
you looking at?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
  



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]