Ok, after an additional delay of one week for OpenSSL 0.9.2b and another tarball rolling round for Apache 1.3.6 (1.3.5 was skipped because of last minute trouble), we can finally sync the triple Apache+mod_ssl+OpenSSL with the remaining part: mod_ssl 2.2.6 which both upgrades to Apache and uses the new session tagging facility of OpenSSL 0.9.2b to make session resumption again working. Yeah, sometimes it's complicated to write a glue-code module like Apache which has to sync with two other packages ;-) Additionally to the Apache upgrade and OpenSSL security issue, this version introduces the pkg.addon/ stuff. There I'll locate companion patches which fall neither in the EAPI nor SSL class. The start are two little goodies: An EAPI-based mod_define I wrote some time ago with my best friend which provides a nifty variable expension feature on arbitrary(!) directive lines. And a beautify-patch for mod_status overtaken from Stronghold (only the red "SSL" coloumn is still missing because cleanness prevents me from patching the scoreboard with SSL stuff and EAPI is still to weak for this, but that will change the next weeks). So, in your own interest (security issues!) you're now encauraged to upgrade to the triple: Apache/1.3.6 + mod_ssl/2.2.6 + OpenSSL/0.9.2b which I now consider as a better combination we ever had. Especially the next mod_ssl versions will try to massively use the new OpenSSL 0.9.2b code and so I'll have to drop support for SSLeay 0.9.0b and even OpenSSL 0.9.1c in the next weeks. Because the next functionality-improvement rounds bring full DSA/DH support which is only possible with OpenSSL 0.9.2b and higher. Additionally I'm planning to release general shared memory support for EAPI which let's us finally create a fast and full in-core inter-process session cache plus the ability to add inter-process SSL statistics to mod_status. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.2.6 (18-Mar-1999 to 24-Mar-1999) *) Now mod_ssl logs the current Apache, mod_ssl and OpenSSL versions at startup which makes it easier to distinguish which software combination is actually running by just looking into the log. *) Added support for new 56/1024 bit export ciphersuites (idea overtaken from Apache-SSL 1.32) and sign-only-certificate situations where stronger (1024 instead of 512 bit) temporary keys are reasonable to use. *) Upgrade to new upstream version Apache 1.3.6 on vendor branch. [Version 1.3.5 was not released because of last minute problems] *) *** SECURITY *** SECURITY *** SECURITY *** In the OpenSSL project we discovered that a terrible security hole exists for _all_ SSLeay/OpenSSL server applications that use virtual hosting. Here sessions could be resumed in the wrong context thus bypassing client certificate protection! This hole is now fixed in OpenSSL 0.9.2b by an ad-hoc solution were SSL sessions cannot be resumed unless the server application tags it with a unique context id per virtual host. mod_ssl now also performs this tagging to prevent this exploit. *) Added the nifty EAPI-based mod_define module to the source tree. This modules provides variable definitions for arbitrary directive lines, i.e. you can expand ${xxx} on any(!) directive line. This module is disabled per default in src/Configuration.tmpl (need an --enable-module=define) and it lives in the new pkg.addon area. *) Added Stronghold's table look and feel to mod_status' display page. This patch is harmless and enabled per default and lives in the new pkg.addon area. *) Opened another distribution package subdir: pkg.addon/. Here addons will be stored which are not directly/physically related to mod_ssl and EAPI, but indirectly. *) Cleaned up the generation of the signature table in ap_hook.c and updated the hook list with the still missing vendor hooks. *) Renamed recently added vendor hooks to from ssl::vendor::xxx to ap::mod_ssl::vendor::xxx to be consistent with remaining EAPI hook names. *) Upgrade to new upstream version Apache 1.3.5 on vendor branch *) Fixed a segfault in the HTTPS support for mod_proxy which occured when the proxy couldn't connect to the remote host. *) Be 100% conservative and clean and use SSL_clean() after SSL_new(). ______________________________________________________________________ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]