httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thom May <t...@planetarytramp.net>
Subject Re: [PATCH] openssl configuration
Date Fri, 28 Feb 2003 10:12:39 GMT
* Geoff Thorpe (geoff@geoffthorpe.net) wrote :
> Hi Madhu,
> 
> * MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) (madhusudan_mathihalli@hp.com) wrote:
> 
> > 1. I thought we should not be enforcing openssl version number checks
> > (something like - openssl version SHOULD be > 0.9.6i) - mainly because ppl.
> > can apply patches to their previous versions of OpenSSL, and thus avoid
> > security problems.. (ofcourse, I know you're coming from the OpenSSL
> > background, but that was the message I got here when I tried doing something
> > like that)
> 
> I put the version checks in simply because there are version checks in
> the existing M4 stuff and I would have thought it unacceptable to the
> ASF for me to remove them! :-) The current version checks are
> implemented in a cock-eyed fashion and are also out of date (0.9.6e used
> to be a meaningful cut-off point, but that has changed more recently).
> 
> It would perhaps make sense to provide a "--force-ssl-ver" type of
> option that would bypass version checks, and then have any version
> checking failure text point out the existence of "--force-ssl-ver". This
> way, the more determined users can force configure to bypass that,
> whilst it still provides a certain safety-net for the more naive and
> less intrepid against accidently meddling with known-to-be-out-of-date
> support libraries.

(un)?fortunately most vendors prefer to backport security fixes rather than
release new versions of software into stable releases since backports are
far less likely to interfere with already tested and correctly integrated
software. Thus the average user is unlikely to *know* that they would need
to force an ssl version. Less intrepid users are far more likely to be
following vendor security updates ;-)
I don't think we should have enforced version checks for this; if we do
detect an old version I think the most we should do is to suggest that the
user checks with their vendor that they have the most uptodate release for
their OS; and that said release fixes the (known) security holes.
Cheers,
-Thom 

Mime
View raw message