Ok, after an additional delay of one week for OpenSSL 0.9.2b and another
tarball rolling round for Apache 1.3.6 (1.3.5 was skipped because of last
minute trouble), we can finally sync the triple Apache+mod_ssl+OpenSSL with
the remaining part: mod_ssl 2.2.6 which both upgrades to Apache and uses the
new session tagging facility of OpenSSL 0.9.2b to make session resumption
again working. Yeah, sometimes it's complicated to write a glue-code module
like Apache which has to sync with two other packages ;-)
Additionally to the Apache upgrade and OpenSSL security issue, this version
introduces the pkg.addon/ stuff. There I'll locate companion patches which
fall neither in the EAPI nor SSL class. The start are two little goodies: An
EAPI-based mod_define I wrote some time ago with my best friend which provides
a nifty variable expension feature on arbitrary(!) directive lines. And a
beautify-patch for mod_status overtaken from Stronghold (only the red "SSL"
coloumn is still missing because cleanness prevents me from patching the
scoreboard with SSL stuff and EAPI is still to weak for this, but that will
change the next weeks).
So, in your own interest (security issues!) you're now encauraged to upgrade
to the triple:
Apache/1.3.6 + mod_ssl/2.2.6 + OpenSSL/0.9.2b
which I now consider as a better combination we ever had. Especially the next
mod_ssl versions will try to massively use the new OpenSSL 0.9.2b code and so
I'll have to drop support for SSLeay 0.9.0b and even OpenSSL 0.9.1c in the
next weeks. Because the next functionality-improvement rounds bring full
DSA/DH support which is only possible with OpenSSL 0.9.2b and higher.
Additionally I'm planning to release general shared memory support for EAPI
which let's us finally create a fast and full in-core inter-process session
cache plus the ability to add inter-process SSL statistics to mod_status.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.2.6 (18-Mar-1999 to 24-Mar-1999)
*) Now mod_ssl logs the current Apache, mod_ssl and OpenSSL versions at
startup which makes it easier to distinguish which software combination
is actually running by just looking into the log.
*) Added support for new 56/1024 bit export ciphersuites (idea overtaken
from Apache-SSL 1.32) and sign-only-certificate situations where
stronger (1024 instead of 512 bit) temporary keys are reasonable to use.
*) Upgrade to new upstream version Apache 1.3.6 on vendor branch.
[Version 1.3.5 was not released because of last minute problems]
*) *** SECURITY *** SECURITY *** SECURITY ***
In the OpenSSL project we discovered that a terrible security hole
exists for _all_ SSLeay/OpenSSL server applications that use virtual
hosting. Here sessions could be resumed in the wrong context thus
bypassing client certificate protection! This hole is now fixed in
OpenSSL 0.9.2b by an ad-hoc solution were SSL sessions cannot be resumed
unless the server application tags it with a unique context id per
virtual host. mod_ssl now also performs this tagging to prevent this
exploit.
*) Added the nifty EAPI-based mod_define module to the source tree. This
modules provides variable definitions for arbitrary directive lines,
i.e. you can expand ${xxx} on any(!) directive line. This module is
disabled per default in src/Configuration.tmpl (need an
--enable-module=define) and it lives in the new pkg.addon area.
*) Added Stronghold's table look and feel to mod_status' display page.
This patch is harmless and enabled per default and lives in the new
pkg.addon area.
*) Opened another distribution package subdir: pkg.addon/.
Here addons will be stored which are not directly/physically related to
mod_ssl and EAPI, but indirectly.
*) Cleaned up the generation of the signature table in ap_hook.c
and updated the hook list with the still missing vendor hooks.
*) Renamed recently added vendor hooks to from ssl::vendor::xxx to
ap::mod_ssl::vendor::xxx to be consistent with remaining EAPI hook
names.
*) Upgrade to new upstream version Apache 1.3.5 on vendor branch
*) Fixed a segfault in the HTTPS support for mod_proxy which
occured when the proxy couldn't connect to the remote host.
*) Be 100% conservative and clean and use SSL_clean() after SSL_new().
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
