Does Mod_SSL use SSL_get_shared_ciphers()?

Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers()
function from OpenSSL?

As you may know a buffer overflow has been detected in that
function in OpenSSL versions prior to 0.9.8d.

I'm trying to find out if Mod_SSL uses the vulnerable function.

Thanks in advance.



Stanley E. Laufer
Network Administrator
School of Library and Information Science
San Jose State University

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

Stanley Laufer wrote:
> Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers()
> function from OpenSSL?
>
> As you may know a buffer overflow has been detected in that
> function in OpenSSL versions prior to 0.9.8d.
>
> I'm trying to find out if Mod_SSL uses the vulnerable function.

I just checked a couple different versions and did not see that
function.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

> Phil Ehrens:
> I just checked a couple different versions and did not see that
> function.

I posted a question about this to the apache security mailbox, but
nobody responded. I guess that is inline with the policy for that
mailbox even if I find it somewhat unhelpful, considering that SSL isn't
completely a rarity when using Apache.

The reason I am concerned is because mod_ssl indirectly references
SSL_get_shared_ciphers. It is in use. You can see this if you use
something like nm and grep for this function.

So is mod_ssl vulnerable? Is the functionality insulated and not
possible to trigger from the mod_ssl user scenario, or is it?

If anyone have any ideas please let me know!

Regards,


Per Olausson


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

Per Olausson wrote:
>
> >Phil Ehrens:
> >I just checked a couple different versions and did not see that
> >function.
>
> I posted a question about this to the apache security mailbox, but
> nobody responded. I guess that is inline with the policy for that
> mailbox even if I find it somewhat unhelpful, considering that SSL isn't
> completely a rarity when using Apache.
>
> The reason I am concerned is because mod_ssl indirectly references
> SSL_get_shared_ciphers. It is in use. You can see this if you use
> something like nm and grep for this function.
>
> So is mod_ssl vulnerable? Is the functionality insulated and not
> possible to trigger from the mod_ssl user scenario, or is it?
>
> If anyone have any ideas please let me know!

The symbol is not defined in mod_ssl on any of my Linux or Solaris
systems, all of which are running Apache-2.0.55. What version are
you looking at?
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

Phil,

Is it the way I am building Apache or is Linux or Solaris hiding this
symbol? I've checked this on a gentoo build, but on my machine the
module has no symbols.

Details as below:

Apache/2.2.3
OpenSSL 0.9.8c
AIX 5200-09
*
nm mod_ssl.so | grep SSL_get_shared_ciphers
..SSL_get_shared_ciphers T 269028692
..SSL_get_shared_ciphers_139_116 t 269031772*

nm(1):

T Global text symbol.
t Local text symbol.

Regards,


Per

Phil Ehrens wrote:
> Per Olausson wrote:
>
>>> Phil Ehrens:
>>> I just checked a couple different versions and did not see that
>>> function.
>>>
>> I posted a question about this to the apache security mailbox, but
>> nobody responded. I guess that is inline with the policy for that
>> mailbox even if I find it somewhat unhelpful, considering that SSL isn't
>> completely a rarity when using Apache.
>>
>> The reason I am concerned is because mod_ssl indirectly references
>> SSL_get_shared_ciphers. It is in use. You can see this if you use
>> something like nm and grep for this function.
>>
>> So is mod_ssl vulnerable? Is the functionality insulated and not
>> possible to trigger from the mod_ssl user scenario, or is it?
>>
>> If anyone have any ideas please let me know!
>>
>
> The symbol is not defined in mod_ssl on any of my Linux or Solaris
> systems, all of which are running Apache-2.0.55. What version are
> you looking at?
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

Interesting. Must be an Apache 2.2.X thing. The symbol
definitely does not appear in 2.0.55.

Per Olausson wrote:
>
> Phil,
>
> Is it the way I am building Apache or is Linux or Solaris hiding this
> symbol? I've checked this on a gentoo build, but on my machine the
> module has no symbols.
>
> Details as below:
>
> Apache/2.2.3
> OpenSSL 0.9.8c
> AIX 5200-09
> *
> nm mod_ssl.so | grep SSL_get_shared_ciphers
> .SSL_get_shared_ciphers T 269028692
> .SSL_get_shared_ciphers_139_116 t 269031772*
>
> nm(1):
>
> T Global text symbol.
> t Local text symbol.
>
> Regards,
>
>
> Per
>
> Phil Ehrens wrote:
> >Per Olausson wrote:
> >
> >>>Phil Ehrens:
> >>>I just checked a couple different versions and did not see that
> >>>function.
> >>>
> >>I posted a question about this to the apache security mailbox, but
> >>nobody responded. I guess that is inline with the policy for that
> >>mailbox even if I find it somewhat unhelpful, considering that SSL isn't
> >>completely a rarity when using Apache.
> >>
> >>The reason I am concerned is because mod_ssl indirectly references
> >>SSL_get_shared_ciphers. It is in use. You can see this if you use
> >>something like nm and grep for this function.
> >>
> >>So is mod_ssl vulnerable? Is the functionality insulated and not
> >>possible to trigger from the mod_ssl user scenario, or is it?
> >>
> >>If anyone have any ideas please let me know!
> >>
> >
> >The symbol is not defined in mod_ssl on any of my Linux or Solaris
> >systems, all of which are running Apache-2.0.55. What version are
> >you looking at?
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
Phil Ehrens | Fun stuff:
The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org
California Institute of Technology | http://www.trenchman.com
1200 East California Blvd. | http://www.tokyotosho.com
Pasadena, CA 91125 USA | My gpg public key:
Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

So what are the next steps...is this being highlighted as a risk anywhere?

I am surprised that this doesn't get onto the main security page if it
is a risk...how else would anyone find out about it and take
preventative measures?

Regards,


Per

Phil Ehrens wrote:
> Interesting. Must be an Apache 2.2.X thing. The symbol
> definitely does not appear in 2.0.55.
>
> Per Olausson wrote:
>
>> Phil,
>>
>> Is it the way I am building Apache or is Linux or Solaris hiding this
>> symbol? I've checked this on a gentoo build, but on my machine the
>> module has no symbols.
>>
>> Details as below:
>>
>> Apache/2.2.3
>> OpenSSL 0.9.8c
>> AIX 5200-09
>> *
>> nm mod_ssl.so | grep SSL_get_shared_ciphers
>> .SSL_get_shared_ciphers T 269028692
>> .SSL_get_shared_ciphers_139_116 t 269031772*
>>
>> nm(1):
>>
>> T Global text symbol.
>> t Local text symbol.
>>
>> Regards,
>>
>>
>> Per
>>
>> Phil Ehrens wrote:
>>
>>> Per Olausson wrote:
>>>
>>>
>>>>> Phil Ehrens:
>>>>> I just checked a couple different versions and did not see that
>>>>> function.
>>>>>
>>>>>
>>>> I posted a question about this to the apache security mailbox, but
>>>> nobody responded. I guess that is inline with the policy for that
>>>> mailbox even if I find it somewhat unhelpful, considering that SSL isn't
>>>> completely a rarity when using Apache.
>>>>
>>>> The reason I am concerned is because mod_ssl indirectly references
>>>> SSL_get_shared_ciphers. It is in use. You can see this if you use
>>>> something like nm and grep for this function.
>>>>
>>>> So is mod_ssl vulnerable? Is the functionality insulated and not
>>>> possible to trigger from the mod_ssl user scenario, or is it?
>>>>
>>>> If anyone have any ideas please let me know!
>>>>
>>>>
>>> The symbol is not defined in mod_ssl on any of my Linux or Solaris
>>> systems, all of which are running Apache-2.0.55. What version are
>>> you looking at?
>>> ____________________________________________________________ __________
>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>> User Support Mailing List modssl-users@modssl.org
>>> Automated List Manager majordomo@modssl.org
>>>
>>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Does Mod_SSL use SSL_get_shared_ciphers()?

One more thing. I can see this on 2.0.54 with OpenSSL at 0.9.7d on AIX
as well.

I think there is something masking this problem on other platforms, or I
have been building this in some weird and mysterious way you guys don't
do (highly unlikely I think).

Regards,


Per

Phil Ehrens wrote:
> Interesting. Must be an Apache 2.2.X thing. The symbol
> definitely does not appear in 2.0.55.
>
> Per Olausson wrote:
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org