ANNOUNCE: mod_ssl 2.4.8 (Important Bugfix)

Sun, 3 Jan 1999 02:34:16 -0800 


Because of the availability of a very important bugfix, I immediately release
mod_ssl 2.4.8 with it. This version especially should solve any observed
segfaults which not even gone away by using `SSLSessionCache none' (because
they were not related to DBM libraries and other session cache problematic
things). See below for details. So, if you received segfaults in the past,
you're now strongly encouraged to upgrade to this version (because the chance
is very high that your situation applies to the three conditions listed
below).

Greetings,
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com

  Changes with mod_ssl 2.4.8 (02-Nov-1999 to 05-Nov-1999)

   *) ** IMPORTANT BUGFIX **
      If (and only if)...
         1. a server restart at least once happened
         2. a HTTPS request occurs from a 40-bit/export browser
         3. the underlaying Unix flavor doesn't map DSOs always
            to the same memory address on each restart
      ...then a segfault was very likely to occur for usually
      all previous mod_ssl version. 
      
      The reason was that mod_ssl's temporary RSA keys and DH parameters
      were stored in the persistent memory pool directly as OpenSSL's
      RSA and DH structures. But although these structures successfully
      survived restarts, the contained pointers, which were placed there
      by OpenSSL and which were referencing _static_ parts of OpenSSL,
      pointed to Nirvana after restarts. So on the next need for RSA
      temporary keys or DH parameters (usually caused by 40bit clients)
      the OpenSSL library internally segfaulted while processing these
      structures.

      This was a very long-standing bug and is now fixed by storing the
      RSA keys and DH parameters as raw (and this way safe) DER-encoded
      ASN.1 dats streams (and not structures) in the persistent memory
      pool.

   *) Added an FAQ entry about Verisign GIDs and the intermediate CA
      certificate which is required to fill the gap in the server certificate
      chain or browsers will complain.

   *) The configure.bat for Win32 now tries to complain if patches were
      rejected while they are applied to the Apache source tree.

   *) Updated ANNOUNCE and README documents.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to