logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: OpenSSL 0.9.8f upgrade is now available
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2768
Location: Hilversum, NL, EU

PostPosted: Tue 16 Oct '07 20:20    Post subject: OpenSSL 0.9.8f upgrade is now available Reply with quote

Update 19 October: 0.9.8g avaliable, see below

Steffen
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Wed 17 Oct '07 18:55    Post subject: bug in OpenSSL 0.9.8f Reply with quote

There is a bug in OpenSSL 0.9.8f which causes an error.log entry like this for each new SSL session:
Quote:
[Wed Oct 17 12:11:39 2007] [error] unusably short session_id provided (0 bytes)

This error is harmless except for causing many log entries. SSL still works correctly.

I entered OpenSSL bug 1591 and Apache bug 43644 for this problem.

Note that the two security vulnerabilities fixed in OpenSSL 0.9.8f are not relevant for Apache 2.2 and mod_ssl.
Apache does not: 1.) use DTLS (datagram variation of TLS), or 2.) call SSL_get_shared_ciphers().
Installing OpenSSL 0.9.8f is not urgent if you are already running OpenSSL 0.9.8e.

Nevertheless, it is not a good practice to fall behind on OpenSSL versions. Many smaller non-security fixes are in 0.9.8f.

If there is a new OpenSSL 0.9.8g in the next few days (or weeks) - it may be a good idea to wait for it.
If this is not acceptable - you can either live with the error.log entries, or else fix the OpenSSL 0.9.8f source code yourself and re-build it.

If you build OpenSSL from the source code and you want to fix this problem yourself, edit the file srclib\openssl\ssl\s3_srvr.c and change line 746
from:
Code:
   if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
to:
Code:
   if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
then re-build OpenSSL 0.9.8f.

-tom-
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Fri 19 Oct '07 15:53    Post subject: Reply with quote

OpenSSL 0.9.8g has been released which corrects this bug.
Quote:
Changes between 0.9.8f and 0.9.8g [19 Oct 2007]

*) Fix various bugs:
+ Binary incompatibility of ssl_ctx_st structure
+ DTLS interoperation with non-compliant servers
+ Don't call get_session_cb() without proposed session
+ Fix ia64 assembler code
[Andy Polyakov, Steve Henson]


I also updated the note about building OpenSSL with info for MASM v6 users, and added some additional info about patented ciphers.

For 0.9.8g binary download see the download page.

-tom-
Back to top


Reply to topic   Topic: OpenSSL 0.9.8f upgrade is now available View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout