RE: MM doesn"t work now with 0.9.6e - Security related Bug in mm < mm-1.2.1
am 01.08.2002 09:50:04 von b.courtinHi there,
did you notice that there is a security bug in mm < version 1.2.1 as well which was announced on Jul 30 2002? Have a look here:
Advisory: http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html (CERT ID "2002-453dcert").
You can get the latest version of mm here: http://www.ossp.org/pkg/lib/mm/
Kind regards,
B. Courtin
-----Original Message-----
From: David Lowenstein [mailto:dlowenst@mail.sdsu.edu]
Sent: Wednesday, July 31, 2002 10:33 PM
To: modssl-users@modssl.org
Subject: MM doesn't work now with 0.9.6e
I just installed the newest version of openssl and recompiled mm, mod_ssl,
mod_perl, and apache. Now when I start apache I get an error from my
httpd.conf file about the SSLSessionCache option. The error is:
SSLSessionCache: shared memory cache not useable on this platform
Well, it was with openssl 0.9.6c. I didn't do anything different in my
installation steps which were:
install openssl
configure mm with disable-shared
make
configure mod_ssl --with-apache=../apache_1.3.26
install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src
DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1)
set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1
configure and install apache:
../configure --enable-module=proxy --enable-module=so
--activate-module=src/modules/perl/libperl.a --enable-module=perl
--enable-rule=SHARED_CORE --enable-module=ssl
make
make certificate
make install
Without the shared option in the config file, apache starts just fine, but
it won't work with:
SSLSessionCache shm:/usr/local/apache/logs/ssl/ssl_scache(512000)
It worked before.
What did I break?
Dave Lowenstein
Programmer/Analyst
Instructional Technology Services
San Diego State University
(619)594-0270
http://www-rohan.sdsu.edu/dept/its
On Wed, 31 Jul 2002, Matt Nelson wrote:
> At 06:02 PM 7/31/2002 +0200, you wrote:
> >See comments,
>
> Ditto,
>
> >Rgds,
> >
> >Owen Boyle
> >
> > >-----Original Message-----
> > >From: Matt Nelson [mailto:matt@nelsonprinting.com]
> > >Sent: Mittwoch, 31. Juli 2002 17:01
> > >To: modssl-users@modssl.org
> > >Subject: RE: Error message help
> > >
> > >
> > >Well I may have figured this out, https is now running, cert
> > >was in the wrong place,
> >
> >..or your SSLCertificateFile directive was pointing to the wrong place :-)
>
> Yup, but dang I was confused on where it went. Everything I've read said
> put it somewhere different. Error logs are you friends.
>
>
> > > ...but https returns the default web page for the apache
> > >installation, instead of the real site, which does come up with just
> > >http. I think I can figure that out, but if anyone has pointer
> > >thanks, and thanks for suffering my dumb questions.
> >
> >Check out your DocumentRoot directive in the SSL virtual host - there
> >should only be one. If there is more than one, apache will use the last
> >one... It is this directive which tells apache where to fetch the content.
>
> Yeah I found that right after I wrote that.
>
> > >
> > >--
> > >Matt
> > >
> > >
> > >At 09:36 AM 7/31/2002 -0500, you wrote:
> > >>At 03:56 PM 7/31/2002 +0200, you wrote:
> > >>> >From: Matt Nelson [mailto:matt@nelsonprinting.com]
> > >>> >
> > >>> >Now, the error I'm getting now that I can't seem to find any
> > >>> >help on, in
> > >>> >the error_log is:
> > >>> >
> > >>> >OpenSSL: error:0D06B078:asn1 encoding
> > >routines:ASN1_get_object:header
> > >>> too long
> > >>> >
> > >>>
> > >>>Unusual.. Do you see anything in the browser? Also:
> > >>>
> > >>>- What versions of apache, mod_ssl, openssl?
> > >>
> > >>
> > >>Apache 1.3.22
> > >>OpenSSL 0.9.6
> > >>mod_ssl 1.4
> >
> >Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl
> >2.8.10. That's teh latest mix, also pay attention to the security advisory
> >that was posted to the list today.
>
> I'll do that.
>
>
> > >>
> > >>>- Static or DSO?
> >
> >When you compiled apache, did you statically compile in mod_ssl (i.e.
> >--enable-module=ssl) so that the mod_ssl binary gets munged in with the
> >apache binary to produce a big binary *or* did you compile mod_ssl as a
> >shared object which would be loaded dynamically at runtime (DSO = Dynamic
> >Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much
> >difference when they're working, but since yours was not working, I
> >thought I'd ask.
>
> I didn't compile, I used everything stock from the Caldera 3.11 server
> install. A bad idea now I know, if I'd done it on my own or recompiled, I'd
> know which it was, among other things.
>
> > >>
> > >>
> > >>I'll be honest and say I don't quite understand that
> > >question. I'm way
> > >>more new at this what I wished. I could probably answer that
> > >question, if
> > >>asked in different terms.
> > >>
> > >>>- What browser?
> > >>
> > >>IE, Mozilla, you name it.
> >
> >Just in case it was a funny browser - SSL is as much to do with the client
> >as it is to do with the server so it is essential to verify any problems
> >with several browsers. But you've already done that.
>
> Yeah... See I do try, I hate being a clueless newbie, or at least acting
> like one. I always try to cover the bases myself, so I don't get RTFM
> responses. I'm sure I'll have some other questions, though, and soon.
>
> Thanks much
>
> --
> Matt
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org