httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] upgrade mod_ssl on Apache
Date Tue, 15 Mar 2011 08:47:16 GMT
On 3/11/2011 3:07 PM, Edwards, Denise wrote:
> 
> I’m upgrading the Apache HTTP from 2.2.10 to latest version (2.2.17). We normally use
the
> openSSL that comes bundled with the Apache install package. The latest Apache comes
> bundled with OpenSSL v0.9.8o and I need to upgrade it to v0.9.8p. How do you upgrade
the
> openssl on the installed Apache? I downloaded the OpenSSL v0.9.8p tar from openssl.org,
> but not sure where to go from there as it’s not the mod_ssl.so format.

FWIW...

 0.9.8o - CVE-2010-0742 - httpd shipped NO_CMS, no impact
        - CVE-2010-1633 - affected 1.0.0 only, no impact
        - CVE-2010-3864 - mod_ssl does not use openssl internal caching, no impact

 0.9.8p - CVE-2010-4180 - MITM issue in renegotiation, potential impact
        - CVE-2010-4252 - httpd shipped NO_JPAKE, no impact

 0.9.8q - CVE-2011-0014 - no oscp support in 2.2.17, no impact

As you can see, there is one possible MITM vector in 0.9.8p that impacts httpd,
so the assertion that one would need to upgrade from .8o to .8p and not pick
up at least .8q is not only foolish but bordering on the inept, a truly
counterproductive waste of effort.

http://httpd.apache.org/docs/2.2/platform/win_compiling.html - Follow ONLY the
[Optional] OpenSSL libraries (for mod_ssl and ab.exe with ssl support) step
and move openssl.exe, libeay32.dll and ssleay32.dll into place, and you will
be finished.  But at least build a sensible version.

When 2.2.18 ships, or a significant flaw is discovered, httpd will ship the
then-current iteration of openssl.

> CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may
be legally privileged. It is intended solely for the addressee. Access to this email by anyone
else is unauthorized. 

Not anymore it isn't, due to your act of publishing an inquiry to a public list.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message