httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Irwin <simonirwi...@gmail.com>
Subject Re: [users@httpd] Apache 1.3 and OpenSSL
Date Wed, 09 Nov 2005 16:14:44 GMT
<oops - have switched Gmail to plain text now>

Each of the versions of Apache/mod_ssl/OpenSSL that I'm using have
been periodically updated with essential security updates (so while
it's Apache 1.3.12 as a baseline, it's not quite that ancient). 
However, it can be hard to tell exactly *which* patches have been
applied.

You're completely right, though - this is a horrible situation :-)

What I've really been looking for is some kind of statement that
OpenSSL version X is only compatible with mod_ssl version X (and
later).  Like I said before, I know that Apache and mod_ssl are
closely tied together, but have never seen anything that notes the
'dependencies' between Apache/mod_ssl and OpenSSL.

Thanks for your response.
Simon

On 11/9/05, Boyle Owen <Owen.Boyle@swx.com> wrote:
> Plain text please...
>
> This basically amounts to asking whether the API for openssl 0.9.8a is backwards compatible
as far as 0.9.5a - that is, there are various function calls in mod_ssl 2.6.6 which expect
to be understood by the OpenSSL library. If the interface to the library has changed at all
since April 2000, the answer will be "no" (I'd be astonished if it is "yes").
>
> It is not unusual for people to be a version or two behind with their various apache
components, but you seem to be in an extremely complicated position. Apache 1.3.12 is not
only ancient (July 2000), by comparison with a modern version, it is buggy and insecure. You
are doing no-one a favour by keeping it on the internet. Rather than pottering about trying
to fit a hydrogen fuel cell to a Morris 1000 Traveller, I would invest the effort in modifying
whatever application that forces you to use apache 1.3.12 so you can upgrade apache to a recent
version.
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
> -----Original Message-----
> From: Simon Irwin [mailto:simonirwin74@gmail.com]
> Sent: Mittwoch, 9. November 2005 15:03
> To: users@httpd.apache.org
> Subject: [users@httpd] Apache 1.3 and OpenSSL
>
>
> Hi All -
>
> I'm using a very old version of Apache - 1.3.12 and mod_ssl 2.6.6.  For historical reasons
I cannot upgrade to newer versions.
>
> However, I may soon need to upgrade my OpenSSL version from 0.9.5a to 0.9.8a.  I know
this is a strange position to be in.
>
> So I have a couple of questions.  Does anyone know whether Apache 1.3.12 (with mod_ssl
2.6.6) will work with OpenSSL 0.9.8a?  Are there any known compatibility issues?
>
> Any feedback  would be greatly appreciated.
> thanks
> Simon
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur
Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal
nature. It is not related to the exchange or business activities of the SWX Group. Le présent
e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe
SWX.
>
>
> This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message