Re: [users@httpd] upgrade mod_ssl on Apache

Tue, 15 Mar 2011 01:47:53 -0700 

On 3/11/2011 3:07 PM, Edwards, Denise wrote:
> 
> I’m upgrading the Apache HTTP from 2.2.10 to latest version (2.2.17). We 
> normally use the
> openSSL that comes bundled with the Apache install package. The latest Apache 
> comes
> bundled with OpenSSL v0.9.8o and I need to upgrade it to v0.9.8p. How do you 
> upgrade the
> openssl on the installed Apache? I downloaded the OpenSSL v0.9.8p tar from 
> openssl.org,
> but not sure where to go from there as it’s not the mod_ssl.so format.

FWIW...

 0.9.8o - CVE-2010-0742 - httpd shipped NO_CMS, no impact
        - CVE-2010-1633 - affected 1.0.0 only, no impact
        - CVE-2010-3864 - mod_ssl does not use openssl internal caching, no 
impact

 0.9.8p - CVE-2010-4180 - MITM issue in renegotiation, potential impact
        - CVE-2010-4252 - httpd shipped NO_JPAKE, no impact

 0.9.8q - CVE-2011-0014 - no oscp support in 2.2.17, no impact

As you can see, there is one possible MITM vector in 0.9.8p that impacts httpd,
so the assertion that one would need to upgrade from .8o to .8p and not pick
up at least .8q is not only foolish but bordering on the inept, a truly
counterproductive waste of effort.

http://httpd.apache.org/docs/2.2/platform/win_compiling.html - Follow ONLY the
[Optional] OpenSSL libraries (for mod_ssl and ab.exe with ssl support) step
and move openssl.exe, libeay32.dll and ssleay32.dll into place, and you will
be finished.  But at least build a sensible version.

When 2.2.18 ships, or a significant flaw is discovered, httpd will ship the
then-current iteration of openssl.

> CONFIDENTIALITY NOTICE: The information in this Internet email is 
> confidential and may be legally privileged. It is intended solely for the 
> addressee. Access to this email by anyone else is unauthorized. 

Not anymore it isn't, due to your act of publishing an inquiry to a public list.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to