Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: OpenSSL bugs |
|
| Author |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
 Posted: Thu 19 Apr '12 23:43 Post subject: OpenSSL bugs |
 |
|
OpenSSL is having a busy time lately. They posted new versions: 0.9.8v, 1.0.0i, and 1.0.1a today (April 19,2012) for a buffer-overrun bug.
It's been SlashDotted already, so of course there's a lot of chatter about the bug and OpenSSL coding, etc.
For Apache, I can only find two paths to the vulnerable functions:1. when parsing the server's certificate and key files locally (which shouldn't have anything malicious in them)
2.when checking for revoked client certificates using the new SSLOCSP* directives in 2.4. If Apache is configured for your clients to use certificates, and you also have: then you may be at risk, unless you have used the SSLOCSPOverrideResponder and SSLOCSDefaultResponder directives to ensure that you only contact a trustworthy OCSP responder, instead of the responder listed in the client's certificate.
These are the only uses of the vulnerable functions that I can find, but smart hackers could find some I missed. This OpenSSL update is certainly worth testing and installing over the next few days.
The other OpenSSL problems do not affect Apache unless your web server connects directly to PayPal, Facebook, or similar sites as a client. It seems that OpenSSL 1.0.0+ does the new TLSv1.1 and TLSv1.2 protocols correctly. It is turning up a a few big-name web sites (and load balancers) that don't handle these new protocols correctly, or else they don't handle the long list of ciphers that OpenSSL 1.0.0+ now supports. Debian has a few examples in their bug 665452, and Ubuntu has a few more in their bug 965371.
The OpenSSL developers are sure having a busy month!
-tom- |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Fri 20 Apr '12 14:31 Post subject: |
|
|
Thanks for explaining.
Worth to upgrade, there are also "normal" bugs fixed in 1.0.1a.
Steffen |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
| Posted: Sat 28 Apr '12 17:47 Post subject: |
|
|
OpenSSL released version 1.0.1b on Thursday, April 26, 2012.
There are four changes in this version: two in this notice, and two more in the CHANGES file.
The change that seems important for Apache on Windows is the first one in the CHANGES file. It was discovered that OpenSSL 1.0.1 was not fully compatible with OpenSSL 1.0.0.
If Apache was compiled with OpenSSL 1.0.0, and then you updated OpenSSL from 1.0.0 to 1.0.1 - the TLSV1.1 protocol may be accidentally disabled. The other protocols (TLSv1.2, SSLv3) are OK.
Updating OpenSSL to 1.0.1b or higher will also need Apache (or, more specifically: mod_ssl.so) to be re-compiled.
The other three changes are for: 1) non-Intel platforms, 2) FIPS-compliant OpenSSL (we never use this), and 3) an improvement for SSL clients (but not for servers). The last change is not really a bug-fix.
The Apache 2.2 and 2.4 downloads from Apache Lounge were both compiled with, and include, OpenSSL 1.0.1a, so: there is no problem that needs to be fixed with any AL downloads of Apache 2.2 or 2.4.
Unlike the release of OpenSSL 1.0.1a last week, which fixed some important security bugs, I do not think this OpenSSL update is worth getting and installing for Apache-Windows users. If the releases continue at this rate, I plan to wait for some bona-fide security fixes before I update OpenSSL (and re-compile mod_ssl.so to go with it).
-tom- |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sun 29 Apr '12 20:53 Post subject: |
|
|
Second on that. Also plan to wait for some bona-fide security fixes before I update OpenSSL. Looks like they are too much in a hurry to solve "theoritical" security issues.
Thanks! for following for us the OpenSSL scene.
Steffen |
|
| Back to top |
|
|
|
|
|
|
