httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] Enabling ECDHE ciphers
Date Fri, 18 Apr 2014 19:14:24 GMT
J.Lance,

On 4/18/14, 2:55 PM, J.Lance Wilkinson wrote:
> Christopher Schultz wrote:
> ...snip...
>>
>> I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
>> update available to 1.0.1g (I haven't read the changelogs but I'll bet
>> the difference is mostly the version-bump since everyone is paranoid
>> about 1.0.1e, now). I'll see if that changes anything.
> 
> Chris,
> What OS are you running?  RHEL6?

Something like that. It's "Amazon Linux" which is RHEL-compatible.

> If so, then you actually do have the patched version EQUIVALENT to 1.0.1g,
> so my local Linux guru tells me.
> 
> On RHEL6, I get:
> % openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> 
> BUT, I also get:
> ~% rpm -q openssl
> openssl-1.0.1e-16.el6_5.7.x86_64
> 
> 
> RedHat, he tells me, does not distribute the new version but actually
> weng back and applied the relevant patches TO THEIR DISTRIBUTED
> VERSION.  Note the -16.
> That's the indicator.

Yes, I'm aware. Amazon released another update that brings the version
explicitly up to 1.0.1g. I am aware that I saw safe from Heartbleed even
with the older version.

> It seems that RedHat thinks they know better than we.

The difference is that the patched 1.0.1e had only the security patch
for Heartbleed. I suspect that the difference between 1.0.1e and 1.0.1g
directly from OpenSSL includes more changes than just the Heartbleed
patch. This is how most distros work: they back-port only the patches
that are appropriate instead of always including version.current for
their updates.

Anyhow, it seems you've strayed off-topic because this isn't about which
is more appropriate -- 1.0.1e or 1.0.1g... it's about why I can't seem
to get httpd 2.2.26 to use ECDHE ciphers. I suspect it has something to
do with Amazon's build process even though the libraries are
dynamically-linked. Perhaps httpd was built against 1.0.0 so does not
include certain capabilities even though 1.0.1g is available at run-time.

-chris


Mime
View raw message