logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: OpenSSL 1.0.0c upgrade for Apache 2.2.x is available
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sat 04 Dec '10 15:32    Post subject: OpenSSL 1.0.0c upgrade for Apache 2.2.x is available Reply with quote

OpenSSL 1.0.0c has been released, upgrade for your Apache is available at the download page www.apachelounge.com/download/

Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:

o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
o Fix mishandling of absent EC point format extension.
o Fix various platform compilation issues.
o Corrected fix for security issue CVE-2010-3864.

It is strongly recommended that you upgrade as soon as possible

Steffen
Back to top
krisztian.kocsis



Joined: 18 Dec 2010
Posts: 2

PostPosted: Sat 18 Dec '10 13:20    Post subject: PHP Crashing Reply with quote

Did anybody experience PHP crashes after update to OpenSSL 1.0.0c?
If I execute this from PHP 5.3.3/5.3.4:
openssl_digest('1234', 'SHA256', false);

it will crash.
If I restore the previous OpenSSL files, it works again.
I didn't check but I think that others OpenSSL functions are also affected.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Sat 18 Dec '10 23:05    Post subject: Reply with quote

@krisztian Can you please run a sample script on the command line and see it that crashes? If not you could use fcgid than PHP will uses its own SSL libs and don't crash even with an updated apache.
Back to top
Brian White



Joined: 24 Aug 2008
Posts: 21

PostPosted: Sun 19 Dec '10 0:25    Post subject: Reply with quote

I had the same problem; but it was because I did not read the instructions carefully. Most updates of OpenSSL only require you to update the contents of the Apache's bin and conf directories. With this particular release you must also replace mod_ssl.so in Apache's modules directory.
Back to top
krisztian.kocsis



Joined: 18 Dec 2010
Posts: 2

PostPosted: Mon 20 Dec '10 13:05    Post subject: PHP Crash Reply with quote

Yes, it works perfectly when I run this command from command line.
I know how dynamic symbol resolving is working, so the only on option to use this update is to use PHP as CGI, not a module.

Of course I'v replaced the mod_ssl.so also (same result).
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 22 Dec '10 14:44    Post subject: Reply with quote

I ask the PHP dev guys. PHP is still using OpenSSL 0.9.8
When PHP runs as module it will load the needed SSL libs (dll's) from apache\bin folder. That make it incompatible. In this case you have to downgradeapache to OpenSSL 0.9.8 OR run PHP over fcgid. For me it works great using mod_fcgid. I know that apachelounge also runs with PHP over mod_fcgid.

Is it an option for you to use mod_fcgid instead of php5apache2_2.dll ?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Wed 22 Dec '10 20:24    Post subject: Reply with quote

@james, indeed running here OpenSSL 1.0.0c and mod_fcgid-2.3.6, no issues seen.

Steffen
Back to top
sxgray



Joined: 08 Feb 2011
Posts: 4

PostPosted: Tue 08 Feb '11 21:45    Post subject: Reply with quote

We've been running httpd 2.2.16 with OpenSSL 0.9.8o for some time successfully. Recently moved to 2.2.17 with no issues. When trying to upgrade to OpenSSL 1.0.0c, httpd doesn't run. When something is written to the error log before failing, it looks like this:

Code:
[Tue Feb 08 11:19:28 2011] [notice] Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/1.0.0c configured -- resuming normal operations
[Tue Feb 08 11:19:28 2011] [notice] Server built: Oct 18 2010 01:58:12
[Tue Feb 08 11:19:28 2011] [notice] Parent: Created child process 7812
[Tue Feb 08 11:19:29 2011] [error] Unable to import RSA server certificate
[Tue Feb 08 11:19:29 2011] [error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
[Tue Feb 08 11:19:29 2011] [error] SSL Library Error: 218529894 error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
[Tue Feb 08 11:19:29 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Feb 08 11:19:29 2011] [crit] (OS 1813)The specified resource type cannot be found in the image file.  : master_main: create child process failed. Exiting.


Switching back to OpenSSL 0.9.8o makes everything all better.

Windows 7, running 32-bit httpd/openssl

Has anyone seen an issues like this with OpenSSL 1.0.0c and Apache httpd?

Thanks,
Scott
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 08 Feb '11 23:07    Post subject: Reply with quote

Where did you get Apache 2.2.17 from?
Back to top
sxgray



Joined: 08 Feb 2011
Posts: 4

PostPosted: Wed 09 Feb '11 0:21    Post subject: Reply with quote

Downloaded 2.2.17 from a mirror of http://httpd.apache.org/download.cgi.
Back to top
sxgray



Joined: 08 Feb 2011
Posts: 4

PostPosted: Wed 09 Feb '11 0:44    Post subject: Reply with quote

Sorry, I should have been a little more specific.

The Apache httpd 2.2.17 (with OpenSSL 0.9.8o) was downloaded from a mirror off httpd.apache.org.

OpenSSL 1.0.0c was downloaded from Apache Lounge (OpenSSL_1.0.0c-win32-x86.zip).
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 09 Feb '11 1:45    Post subject: Reply with quote

And that is most likely the reason for the problem and what I had assumed that last error meant, even tho it doesn't make much sense.

The reason, builds from apache.org are built with Visual C++ 6.0 and this openssl update was built with Visual C++ 2008.

So, you can get the Apache from here, which is built with Visual C++ 2008 or wait for 2.2.18 from apache.org which will have whatever the current 0.9.8 version is when released.

Just a FYI, openssl 0.9.8r/1.0.0d came out today, when/if Steffen builds it and offers an update again.
Back to top
sxgray



Joined: 08 Feb 2011
Posts: 4

PostPosted: Wed 09 Feb '11 3:02    Post subject: Reply with quote

Thanks! I grabbed the httpd 2.2.17 from Apache Lounge and updated with OpenSSL 1.0.0c as before. Comes up clean.

Appreciate the help!
Back to top
Michael T



Joined: 28 Feb 2011
Posts: 39

PostPosted: Mon 28 Feb '11 14:14    Post subject: How Do I compile Reply with quote

I have downloaded the files and tried to just copy them to the relevant folders but got an error starting Apache. I guess I have to recompile it al, I have Visual 2008 installed but how do I compile it all? I downloaded the whole lot before and ssl .98 installed itself but due to a penetration test need to upgrade.
Back to top
Michael T



Joined: 28 Feb 2011
Posts: 39

PostPosted: Mon 28 Feb '11 14:15    Post subject: Re: How Do I compile Reply with quote

Sorry this is the error I got

[Mon Feb 28 11:54:30 2011] [warn] pid file D:/Program Files/Apache Software Foundation/Apache2.2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 28 Feb '11 17:03    Post subject: Re: How Do I compile Reply with quote

Michael T wrote:

[Mon Feb 28 11:54:30 2011] [warn] pid file D:/Program Files/Apache Software Foundation/Apache2.2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?

That is not a real issue. That happens when windows shutdown when the service is running. Nothing to worrie about.
Back to top
Michael T



Joined: 28 Feb 2011
Posts: 39

PostPosted: Mon 28 Feb '11 19:39    Post subject: Re: How Do I compile Reply with quote

Windows did not shut down, it happened when I tried to start apache after copying the new files to the respective folders. Copied the old ones back and it started OK.
Back to top
Smitty



Joined: 03 Jan 2008
Posts: 197

PostPosted: Mon 28 Mar '11 18:11    Post subject: Reply with quote

Can you make OpenSSL 1.0.0d available? It looks like it has some more security updates. Thanks!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 28 Mar '11 21:59    Post subject: Reply with quote

Smitty,

Changes are minor and not critical, waiting for 1.0.1.

Changes between 1.0.0c and 1.0.0d [8 Feb 2011]

*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]

*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]


Steffen
Back to top
Smitty



Joined: 03 Jan 2008
Posts: 197

PostPosted: Mon 28 Mar '11 22:00    Post subject: Reply with quote

Great, thanks for the update Steffen.
Back to top


Reply to topic   Topic: OpenSSL 1.0.0c upgrade for Apache 2.2.x is available View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout