Re: Does Mod_SSL use SSL_get_shared_ciphers()?
So what are the next steps...is this being highlighted as a risk anywhere? I am surprised that this doesn't get onto the main security page if it is a risk...how else would anyone find out about it and take preventative measures? Regards, Per Phil Ehrens wrote: Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
One more thing. I can see this on 2.0.54 with OpenSSL at 0.9.7d on AIX as well. I think there is something masking this problem on other platforms, or I have been building this in some weird and mysterious way you guys don't do (highly unlikely I think). Regards, Per Phil Ehrens wrote: Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! Regards, Per Olausson __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]