httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject CVE-2012-2110 and mod_ssl.
Date Fri, 20 Apr 2012 15:29:35 GMT
Guys,

A note about the impact of the potentially exploitable OpenSSL vulnerability
CVE-2012-2110 on mod_ssl.

The OCSP part of Apache 2.4 mod_ssl makes use of the d2i_OCSP_RESPONSE_bio call
which is affected. Since OCSP data relies on DNS it cannot be trusted and an
attacker could inject malicious data by this route if OCSP or OCSP stapling is
enabled.

An alternative technique which would not rely on the OpenSSL upstream fix would
be to use d2i_OCSP_RESPONSE instead.

The mod_ssl code also makes use of the affected d2i_X509_bio and
d2i_PrivateKey_bio calls but these load certificates and keys for server
configuration and so the data should come from trusted sources.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message