logoon  windows
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



OpenSSL bugs

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Thu 19 Apr '12 23:43    Post subject: OpenSSL bugs Reply with quote

OpenSSL is having a busy time lately. They posted new versions: 0.9.8v, 1.0.0i, and 1.0.1a today (April 19,2012) for a buffer-overrun bug.
It's been SlashDotted already, so of course there's a lot of chatter about the bug and OpenSSL coding, etc.

For Apache, I can only find two paths to the vulnerable functions:
    1. when parsing the server's certificate and key files locally (which shouldn't have anything malicious in them)
    2.when checking for revoked client certificates using the new SSLOCSP* directives in 2.4.
If Apache is configured for your clients to use certificates, and you also have:
Code:
SSLOCSPEnable on
then you may be at risk, unless you have used the SSLOCSPOverrideResponder and SSLOCSDefaultResponder directives to ensure that you only contact a trustworthy OCSP responder, instead of the responder listed in the client's certificate.

These are the only uses of the vulnerable functions that I can find, but smart hackers could find some I missed. This OpenSSL update is certainly worth testing and installing over the next few days.

The other OpenSSL problems do not affect Apache unless your web server connects directly to PayPal, Facebook, or similar sites as a client. It seems that OpenSSL 1.0.0+ does the new TLSv1.1 and TLSv1.2 protocols correctly. It is turning up a a few big-name web sites (and load balancers) that don't handle these new protocols correctly, or else they don't handle the long list of ciphers that OpenSSL 1.0.0+ now supports. Debian has a few examples in their bug 665452, and Ubuntu has a few more in their bug 965371.

The OpenSSL developers are sure having a busy month!
-tom-
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2160
Location: Hilversum, NL, EU

PostPosted: Fri 20 Apr '12 14:31    Post subject: Reply with quote

Thanks for explaining.

Worth to upgrade, there are also "normal" bugs fixed in 1.0.1a.

Steffen
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Sat 28 Apr '12 17:47    Post subject: Reply with quote

OpenSSL released version 1.0.1b on Thursday, April 26, 2012.

There are four changes in this version: two in this notice, and two more in the CHANGES file.

The change that seems important for Apache on Windows is the first one in the CHANGES file. It was discovered that OpenSSL 1.0.1 was not fully compatible with OpenSSL 1.0.0.
If Apache was compiled with OpenSSL 1.0.0, and then you updated OpenSSL from 1.0.0 to 1.0.1 - the TLSV1.1 protocol may be accidentally disabled. The other protocols (TLSv1.2, SSLv3) are OK.

Updating OpenSSL to 1.0.1b or higher will also need Apache (or, more specifically: mod_ssl.so) to be re-compiled.

The other three changes are for: 1) non-Intel platforms, 2) FIPS-compliant OpenSSL (we never use this), and 3) an improvement for SSL clients (but not for servers). The last change is not really a bug-fix.

The Apache 2.2 and 2.4 downloads from Apache Lounge were both compiled with, and include, OpenSSL 1.0.1a, so: there is no problem that needs to be fixed with any AL downloads of Apache 2.2 or 2.4.

Unlike the release of OpenSSL 1.0.1a last week, which fixed some important security bugs, I do not think this OpenSSL update is worth getting and installing for Apache-Windows users. If the releases continue at this rate, I plan to wait for some bona-fide security fixes before I update OpenSSL (and re-compile mod_ssl.so to go with it).

-tom-
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2160
Location: Hilversum, NL, EU

PostPosted: Sun 29 Apr '12 20:53    Post subject: Reply with quote

Second on that. Also plan to wait for some bona-fide security fixes before I update OpenSSL. Looks like they are too much in a hurry to solve "theoritical" security issues.

Thanks! for following for us the OpenSSL scene.

Steffen
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1