Dear R. J. Goyette at Argonne National Laboratory, Just a FYI. I went to your web site at http://zuul.pns.anl.gov/security/ and clicked on the four Links under Destinations. Nothing happens. No propellers; no hour glass; no meter filling up on the browser-wowser. Is it possible that I have something hosed up on my end or are you intending that these links be that secure?
Now, for my main question, about your posted CERT RISK statement, to wit: ------------- RE:>> VULNERABILITY ASSESSMENT: The risk is MEDIUM. To exploit the overflow, the server must be configured to allow client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority (CA) which is trusted by the server. ------------- Recently, I miraculously got mod_ssl working with apache in something less than a day (with the secure server being hosted by a new second server which was my first experience installing SuSE Linux). I thought that to be something just short of a miracle, considering the level of investment that was made. And, I have not even scratched the scratch of what is available under the hood for additional features with mod_ssl. However, just prior to this successful effort, I spent the better part of two days figuring out why I could not telnet or ftp to one of my servers, only to discover that it was because my firewall was so tight that it wouldn't let telnet or ftp packets through. I know that viruses, and those who continue to manufacture them, are at an all time high. And, I know that Governor Tom Rich and the Homeland Security folks need to have a big chunk of their budget devoted to catching these rascals; and then for the snacks and sandwiches required to feed the large crowds that will gather at various sites around the country to see these scoundrels hanged... Yet in light of this reality, is the above statement of risk informing smaller web server providers that we need to pay great homage to this seemingly remote possibility, or risk being forever in a state of turmoil? I really want to learn more about mod_ssl on this list, but if this is necessary, then ... Please open my eyes... Andrew Lietzow The ACL Group, Inc. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]