Topic: OpenSSL 1.0.0c upgrade for Apache 2.2.x is available

[Steffen]

OpenSSL 1.0.0c has been released, upgrade for your Apache is available at the download page www.apachelounge.com/download/

Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:

o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
o Fix mishandling of absent EC point format extension.
o Fix various platform compilation issues.
o Corrected fix for security issue CVE-2010-3864.

It is strongly recommended that you upgrade as soon as possible

Steffen

[krisztian.kocsis]

Did anybody experience PHP crashes after update to OpenSSL 1.0.0c?
If I execute this from PHP 5.3.3/5.3.4:
openssl_digest('1234', 'SHA256', false);

it will crash.
If I restore the previous OpenSSL files, it works again.
I didn't check but I think that others OpenSSL functions are also affected.

[James Blond]

@krisztian Can you please run a sample script on the command line and see it that crashes? If not you could use fcgid than PHP will uses its own SSL libs and don't crash even with an updated apache.

[Brian White]

I had the same problem; but it was because I did not read the instructions carefully. Most updates of OpenSSL only require you to update the contents of the Apache's bin and conf directories. With this particular release you must also replace mod_ssl.so in Apache's modules directory.

[krisztian.kocsis]

Yes, it works perfectly when I run this command from command line.
I know how dynamic symbol resolving is working, so the only on option to use this update is to use PHP as CGI, not a module.

Of course I'v replaced the mod_ssl.so also (same result).

[James Blond]

I ask the PHP dev guys. PHP is still using OpenSSL 0.9.8
When PHP runs as module it will load the needed SSL libs (dll's) from apache\bin folder. That make it incompatible. In this case you have to downgradeapache to OpenSSL 0.9.8 OR run PHP over fcgid. For me it works great using mod_fcgid. I know that apachelounge also runs with PHP over mod_fcgid.

Is it an option for you to use mod_fcgid instead of php5apache2_2.dll ?

[Steffen]

@james, indeed running here OpenSSL 1.0.0c and mod_fcgid-2.3.6, no issues seen.

Steffen

[sxgray]

We've been running httpd 2.2.16 with OpenSSL 0.9.8o for some time successfully. Recently moved to 2.2.17 with no issues. When trying to upgrade to OpenSSL 1.0.0c, httpd doesn't run. When something is written to the error log before failing, it looks like this:

[glsmith]

Where did you get Apache 2.2.17 from?

[sxgray]

Downloaded 2.2.17 from a mirror of http://httpd.apache.org/download.cgi.

[sxgray]

Sorry, I should have been a little more specific.

The Apache httpd 2.2.17 (with OpenSSL 0.9.8o) was downloaded from a mirror off httpd.apache.org.

OpenSSL 1.0.0c was downloaded from Apache Lounge (OpenSSL_1.0.0c-win32-x86.zip).

[glsmith]

And that is most likely the reason for the problem and what I had assumed that last error meant, even tho it doesn't make much sense.

The reason, builds from apache.org are built with Visual C++ 6.0 and this openssl update was built with Visual C++ 2008.

So, you can get the Apache from here, which is built with Visual C++ 2008 or wait for 2.2.18 from apache.org which will have whatever the current 0.9.8 version is when released.

Just a FYI, openssl 0.9.8r/1.0.0d came out today, when/if Steffen builds it and offers an update again.

[sxgray]

Thanks! I grabbed the httpd 2.2.17 from Apache Lounge and updated with OpenSSL 1.0.0c as before. Comes up clean.

Appreciate the help!

[Michael T]

I have downloaded the files and tried to just copy them to the relevant folders but got an error starting Apache. I guess I have to recompile it al, I have Visual 2008 installed but how do I compile it all? I downloaded the whole lot before and ssl .98 installed itself but due to a penetration test need to upgrade.

[Michael T]

Sorry this is the error I got

[Mon Feb 28 11:54:30 2011] [warn] pid file D:/Program Files/Apache Software Foundation/Apache2.2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?

[James Blond]

[Michael T]

Windows did not shut down, it happened when I tried to start apache after copying the new files to the respective folders. Copied the old ones back and it started OK.

[Smitty]

Can you make OpenSSL 1.0.0d available? It looks like it has some more security updates. Thanks!

[Steffen]

Smitty,

Changes are minor and not critical, waiting for 1.0.1.

Changes between 1.0.0c and 1.0.0d [8 Feb 2011]

*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]

*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]


Steffen

[Smitty]

Great, thanks for the update Steffen.