Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: OpenSSL 0.9.8f upgrade is now available |
|
Author |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Tue 16 Oct '07 20:20 Post subject: OpenSSL 0.9.8f upgrade is now available |
|
|
Update 19 October: 0.9.8g avaliable, see below
Steffen |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Wed 17 Oct '07 18:55 Post subject: bug in OpenSSL 0.9.8f |
|
|
There is a bug in OpenSSL 0.9.8f which causes an error.log entry like this for each new SSL session: Quote: | [Wed Oct 17 12:11:39 2007] [error] unusably short session_id provided (0 bytes) |
This error is harmless except for causing many log entries. SSL still works correctly.
I entered OpenSSL bug 1591 and Apache bug 43644 for this problem.
Note that the two security vulnerabilities fixed in OpenSSL 0.9.8f are not relevant for Apache 2.2 and mod_ssl.
Apache does not: 1.) use DTLS (datagram variation of TLS), or 2.) call SSL_get_shared_ciphers().
Installing OpenSSL 0.9.8f is not urgent if you are already running OpenSSL 0.9.8e.
Nevertheless, it is not a good practice to fall behind on OpenSSL versions. Many smaller non-security fixes are in 0.9.8f.
If there is a new OpenSSL 0.9.8g in the next few days (or weeks) - it may be a good idea to wait for it.
If this is not acceptable - you can either live with the error.log entries, or else fix the OpenSSL 0.9.8f source code yourself and re-build it.
If you build OpenSSL from the source code and you want to fix this problem yourself, edit the file srclib\openssl\ssl\s3_srvr.c and change line 746
from: Code: | if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) | to: Code: | if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) | then re-build OpenSSL 0.9.8f.
-tom- |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 19 Oct '07 15:53 Post subject: |
|
|
OpenSSL 0.9.8g has been released which corrects this bug. Quote: | Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
*) Fix various bugs:
+ Binary incompatibility of ssl_ctx_st structure
+ DTLS interoperation with non-compliant servers
+ Don't call get_session_cb() without proposed session
+ Fix ia64 assembler code
[Andy Polyakov, Steve Henson]
|
I also updated the note about building OpenSSL with info for MASM v6 users, and added some additional info about patented ciphers.
For 0.9.8g binary download see the download page.
-tom- |
|
Back to top |
|
|
|
|
|
|