RE: [ANNOUNCE] mod_ssl 2.8.12
Hi list, is there any information available regarding the mentioned potential Cross-Side-Scripting bug? (Any CERT/CC Advisory CA-x, BUGTRAQ-Messages etc...) Thanks in advance kind regards, B. Courtin -Original Message- From: Ralf S. Engelschall [mailto:rse;engelschall.com] Sent: Wednesday, October 23, 2002 11:15 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ANNOUNCE] mod_ssl 2.8.12 Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed maintainance version mod_ssl 2.8.12 is available for use with Apache 1.3.27. http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: httpd.conf with mod_ssl and MM
Hi
Gilles,
1) Put
all the necessary sources to a dir below e.g. SOURCES. Make sure you use the
latest ones available as recently some mayor security fixes had been
done.
All
the following works fine on solaris 8 with a gcc
-
SOURCES/apache-1.3.27
-
SOURCES/mm-1.2.1
-
SOURCES/mod_ssl-2.8.11-1.3.27
-
SOURCES/openssl-0.9.6.g
2)
Assume the following set up for some variables
COMPILER="gcc"
# Specify the compiler to use
TARGET_DIR="opt"
# This is where the *compiled* sources will be
installedSOURCES_SUBDIR="SOURCES"
# To this subdir the zipped sources will be unzipped and
untared
APACHE_DIR="apache-1.3.27"
# Now we're defining the names of the subdirectories for the program
sourcesMM_DIR="mm-1.2.1"
# Most arcives will be extracted to a subdirname related to the
arciveOPENSSL_DIR="openssl-0.9.6g"
# filename but e.g. "c-client.tar.Z will be extracted to
"imap-2001a"MODSSL_DIR="mod_ssl-2.8.11-1.3.27" # will be
detected automatically below based on the info you state
here.
2)
Compile MM
mm has
to be configured someting like this (on solaris using gcc):
./configure --prefix=/${TARGET_DIR}/${MM}
\ --with-gcc
\ --disable-shared
maybe
you'll also specify (but not nec needed)
--enable-batch
\ --with-shm=IPCSHM
After this, you may need to do
LD_LIBRARY_PATH=/${TARGET_DIR}/${MM}/lib:/${TARGET_DIR}/${MM}/bin:$LD_LIBRARY_PATHexport
LD_LIBRARY_PATH
2) Comile openssl
In the openssl-dir do
./config --prefix=/${TARGET_DIR}/${OPENSSL}
-fPIC shared
After making openssl do
export
SSL_BASE=/${TARGET_DIR}/${OPENSSL}LD_LIBRARY_PATH=/${TARGET_DIR}/${OPENSSL}/lib:/${TARGET_DIR}/${OPENSSL}/bin::$LD_LIBRARY_PATHexport
LD_LIBRARY_PATH
3) Apply mod_ssl to apache source
tree
Changing to SUBDIR where you keep your sources for
mod_ssl
Do
CC=${COMPILER}
\CPFLAGS="-I/${TARGET_DIR}/${OPENSSL}/include"
\CFLAGS="`../${MM}/mm-config --cflags`"
\LDFLAGS="-L/${TARGET_DIR}/${OPENSSL}/lib `../${MM}/mm-config --ldflags`"
\LIBS="-lm `../${MM}/mm-config --libs`"
\EAPI_MM="../${MM}"./configure --prefix=/${TARGET_DIR}/${APACHE}
\
--enable-rule=EAPI
\
--with-apache=../${APACHE}
\
--with-ssl=../${OPENSSL}
\
--with-mm=../${MM}
\
--disable-rule=SSL_COMPAT
\
--enable-module=ssl
4) For
the configuration of Apache you'll need to specify:
If you
do not need to specifiy anything else, change to apaches source dir and type
'make', in any other case do change to apaches source dir and do
CC="${COMPILER}" \EAPI_MM="../${MM}"
\CPFLAGS="-I/${TARGET_DIR}/${OPENSSL}/include"
\CFLAGS="`../${MM}/mm-config --cflags`"
\LDFLAGS="-L/${TARGET_DIR}/${OPENSSL}/lib `../${MM}/mm-config --ldflags`"
\LIBS="`../${MM}/mm-config --libs`"
\INCLUDE="-I/${TARGET_DIR}/${OPENSSL}/include
-I/${TARGET_DIR}/${MM}/include" \./configure
--prefix=/${TARGET_DIR}/${APACHE}
\
--enable-rule=EAPI
\
--enable-module=ssl
\ --add
more options if needed
This
should make shared mem available for apache/mod_ssl.
BTW:
Which platform are you using?
Hope
this helps - good luck
Kind
regards,
Bert
Courtin
-Original Message-From: Gilles Gros
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, October 09, 2002 7:09
AMTo: [EMAIL PROTECTED]Subject: httpd.conf with
mod_ssl and MM
Hi,
Having just
heard about MM, I am trying to use it.
I compile my
apache, but when I try to start it, I get :
Syntax error on line 59 of
/opt/apache/conf/local_conf/mod_ssl.conf:SSLSessionCache: shared memory
cache not useable on this platform
and line 59 there is :
SSLSessionCache
shmcb:/usr/local/apache/logs/ssl_scache(512000)
How can I take
advantage of shmcb and shmct as
SSLSessionCachemethods.
Thanks.
Gilles
RE: MM doesn't work now with 0.9.6e - Security related Bug in mm mm-1.2.1
Hi there, did you notice that there is a security bug in mm version 1.2.1 as well which was announced on Jul 30 2002? Have a look here: Advisory: http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html (CERT ID 2002-453dcert). You can get the latest version of mm here: http://www.ossp.org/pkg/lib/mm/ Kind regards, B. Courtin -Original Message- From: David Lowenstein [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 10:33 PM To: [EMAIL PROTECTED] Subject: MM doesn't work now with 0.9.6e I just installed the newest version of openssl and recompiled mm, mod_ssl, mod_perl, and apache. Now when I start apache I get an error from my httpd.conf file about the SSLSessionCache option. The error is: SSLSessionCache: shared memory cache not useable on this platform Well, it was with openssl 0.9.6c. I didn't do anything different in my installation steps which were: install openssl configure mm with disable-shared make configure mod_ssl --with-apache=../apache_1.3.26 install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install Without the shared option in the config file, apache starts just fine, but it won't work with: SSLSessionCacheshm:/usr/local/apache/logs/ssl/ssl_scache(512000) It worked before. What did I break? Dave Lowenstein Programmer/Analyst Instructional Technology Services San Diego State University (619)594-0270 http://www-rohan.sdsu.edu/dept/its On Wed, 31 Jul 2002, Matt Nelson wrote: At 06:02 PM 7/31/2002 +0200, you wrote: See comments, Ditto, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) Yup, but dang I was confused on where it went. Everything I've read said put it somewhere different. Error logs are you friends. ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. Yeah I found that right after I wrote that. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. I'll do that. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I didn't compile, I used everything stock from the Caldera 3.11 server install. A bad idea now I know, if I'd done it on my own or recompiled, I'd know which it was, among other things. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Yeah... See I do try, I hate being a clueless newbie, or at least acting like one. I always try to cover the bases myself, so I don't get RTFM responses. I'm sure I'll have some other questions, though, and
RE: PRNG errors
Hi, the combination of software you use works fine for me on solaris 8. However, when using these versions, I faced the following probelm: - apache wont start up with the option SSLRandomSeed startup builtin enabled. I then installed the package ANDIrand-0.7-5.8-sparc-1.pkg from http://www.cosy.sbg.ac.at/~andi/; which provides a /dev/random resp. /dev/urandom. Using this (SSLRandomSeed startup file:/dev/urandom 1024) my apache starts up fine. So: - Does OpenBSD have a /dev/urandom? - Try using it- - If not, maybe the package I stated above is available for OpenBSD as well. Kind regards, B. Courtin BTW: For all those using mm: Please notice that there is a security bug in mm version 1.2.1 as well which was announced on Jul 30 2002? Have a look here: Advisory: http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html (CERT ID 2002-453dcert). You can get the latest version of mm here: http://www.ossp.org/pkg/lib/mm/ -Original Message- From: cbenn [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 7:10 PM To: [EMAIL PROTECTED] Subject: PRNG errors Hello everyone. I just upgraded my OpenSSL yesterday from 9.6c to 9.6e, then recompiled my mod_ssl-2.8.10-1.3.26 and Apache on OpenBSD 3.0. Everything seemed to go fine, but now all my https request are unable to connect. According to all the docs I've seen the error message suggest changing the SSLRandomSeed setting in the httpd.conf, however I've tried various setting, see the new value for the Seeding PRNG line in the log, but the handshake still fails with the same error message. Can anyone suggest anything else that maybe the issue. Thanks, benn From httpd.conf # Pseudo Random Number Generator (PRNG): SSLRandomSeed startup builtin SSLRandomSeed connect builtin From ssl_engine_log [31/Jul/2002 09:49:00 30490] [info] Connection to child 3 established (server www.host.com:443, client 127.0.0.1) [31/Jul/2002 09:49:00 30490] [info] Seeding PRNG with 1160 bytes of entropy [31/Jul/2002 09:49:00 30490] [error] SSL handshake failed (server www.host.com:443, client 127.0.0.1) (OpenSSL library error follows) [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:1409B005:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:bad asn1 object header __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: openssl0.9.6e ok with mod_ssl 2.8.10?
Hi, yes, there is a new version of mm available on http://www.ossp.org/pkg/lib/mm/ ( Status: Stable Version: 1.2.1 (28-Jul-2002) ) The advisory is here: http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html Kind regards, Bert Courtin -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 2:14 PM To: Rainer Jung Cc: [EMAIL PROTECTED] Subject: Re: openssl0.9.6e ok with mod_ssl 2.8.10? If I read the advisories correctly, the problem was related to opsnssl code. so, recompiling apache/mod-ssl with the new or patched openssl sources should fix that issue. the other question though is, since there were additional advisories related to mm, and apache 1.3.X/mod-ssl requires mm for proper compilation and functioning, if there is a new mm package or patch available. Thanks, Ron dufresne On Wed, 31 Jul 2002, Rainer Jung wrote: Hi, will there be a new version of mod_ssl for the security fixed openssl 0.9.6e and openssl-engine 0.9.6e or is it safe to use mod_ssl 2.8.10. If there will be a new version: is there an expected release date/time? Thanks for any answers! Rainer Jung kippdata informationstechnologie GmbH Bornheimer Straße 33a D-53111 Bonn Germany Tel.: +49/228/98549-0 Fax: +49/228/98549-50 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OpenSSL Security Advisory [30 July 2002]
Hi, FYI - don't sue me for posting this here - I know, everyone who needs this info *should* have it already, but maybe not ;-) Kind regards, B. Courtin -- OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 == A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 == Vulnerabilities --- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits There are no known exploits for this vulnerability. References -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements This vulnerability was discovered by Adi Stav [EMAIL PROTECTED] and James Yonan [EMAIL PROTECTED] independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. Combined patches for OpenSSL 0.9.6d: http://www.openssl.org/news/patch_20020730_0_9_6d.txt Combined patches for OpenSSL 0.9.7 beta 2: http://www.openssl.org/news/patch_20020730_0_9_7.txt URL for this Security Advisory: http://www.openssl.org/news/secadv_20020730.txt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8
Hi, generally speaking: encryption of data (which SSL does in comparison to not using SSL) of course cost computing time. Thats the reason why you'll get less processed requests when using SSL. Thats the price for having secure data transfer, which does not mean that you should consider turning off SSL, depending on which site your're running. Secondly, the results you get from your load test of course strongly depend on it's design, but probably turning on the KeepAlive directive may improve your results, depending whether your test script supports this. NB (I): Is your test client software running on the same server? This would downgrade results, too. NB (II): A sun Netra T1 (UltraSPARC-IIi 440MHz, Memory 512 MB) (a quite low end server) I recently tested processed about 70 requests per second (using SSL). NB (II): Which hardware are you're using? Kind regards, Bert Courtin -Original Message- From: Patrick Dionisio [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 10:38 PM To: [EMAIL PROTECTED] Subject: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8 Hi, I'd like to know what kind of tricks I can apply to improve the performance of my apache server which uses mod_ssl. The OS I'm using is Linux 7.2. Currently, I have a client script that generates n number of requests to the apache server. The page it requests is a static page. With SSL turned on, I'm only able to get at most 7 to 8 requests per second. With SSL turned off, I am able to get 50+ requests per second. I've tried setting SSLMutex to use sem and SSLSessionCache to shm:/usr/local/apache/logs/ssl_gcache_data(512000), but those changes didn't improve the results. Any suggestions or ideas? Thanks. Patrick __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Bug Report mod_ssl 2.8.8 for Apache 1.3.24 with openssl-0.9.6.d
Hi there, using openssl-0.9.6.d with Apache/1.3.24 (Unix) mod_perl/1.26 PHP/4.2.0 mod_ssl/2.8.8 seems to lead to the following error on solaris 2.8: Apaches error-log: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key which prevents apache from starting. Openssl-0.9.6.c works without any problems (with the same compile options etc.) Kind regards, Bert Courtin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
