logoon  windows
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



OpenSSL 0.9.8f upgrade is now available

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2160
Location: Hilversum, NL, EU

PostPosted: Tue 16 Oct '07 20:20    Post subject: OpenSSL 0.9.8f upgrade is now available Reply with quote

Update 19 October: 0.9.8g avaliable, see below

Steffen
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Wed 17 Oct '07 18:55    Post subject: bug in OpenSSL 0.9.8f Reply with quote

There is a bug in OpenSSL 0.9.8f which causes an error.log entry like this for each new SSL session:
Quote:
[Wed Oct 17 12:11:39 2007] [error] unusably short session_id provided (0 bytes)

This error is harmless except for causing many log entries. SSL still works correctly.

I entered OpenSSL bug 1591 and Apache bug 43644 for this problem.

Note that the two security vulnerabilities fixed in OpenSSL 0.9.8f are not relevant for Apache 2.2 and mod_ssl.
Apache does not: 1.) use DTLS (datagram variation of TLS), or 2.) call SSL_get_shared_ciphers().
Installing OpenSSL 0.9.8f is not urgent if you are already running OpenSSL 0.9.8e.

Nevertheless, it is not a good practice to fall behind on OpenSSL versions. Many smaller non-security fixes are in 0.9.8f.

If there is a new OpenSSL 0.9.8g in the next few days (or weeks) - it may be a good idea to wait for it.
If this is not acceptable - you can either live with the error.log entries, or else fix the OpenSSL 0.9.8f source code yourself and re-build it.

If you build OpenSSL from the source code and you want to fix this problem yourself, edit the file srclib\openssl\ssl\s3_srvr.c and change line 746
from:
Code:
   if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
to:
Code:
   if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
then re-build OpenSSL 0.9.8f.

-tom-
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Fri 19 Oct '07 15:53    Post subject: Reply with quote

OpenSSL 0.9.8g has been released which corrects this bug.
Quote:
Changes between 0.9.8f and 0.9.8g [19 Oct 2007]

*) Fix various bugs:
+ Binary incompatibility of ssl_ctx_st structure
+ DTLS interoperation with non-compliant servers
+ Don't call get_session_cb() without proposed session
+ Fix ia64 assembler code
[Andy Polyakov, Steve Henson]


I also updated the note about building OpenSSL with info for MASM v6 users, and added some additional info about patented ciphers.

For 0.9.8g binary download see the download page.

-tom-
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1