This is a discussion on Re: Does Mod_SSL use SSL_get_shared_ciphers()? - modssl ; Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX ...
Is it the way I am building Apache or is Linux or Solaris hiding this
symbol? I've checked this on a gentoo build, but on my machine the
module has no symbols.
Details as below:
nm mod_ssl.so | grep SSL_get_shared_ciphers
..SSL_get_shared_ciphers T 269028692
..SSL_get_shared_ciphers_139_116 t 269031772*
T Global text symbol.
t Local text symbol.
Phil Ehrens wrote:
> Per Olausson wrote:
>>> Phil Ehrens:
>>> I just checked a couple different versions and did not see that
>> I posted a question about this to the apache security mailbox, but
>> nobody responded. I guess that is inline with the policy for that
>> mailbox even if I find it somewhat unhelpful, considering that SSL isn't
>> completely a rarity when using Apache.
>> The reason I am concerned is because mod_ssl indirectly references
>> SSL_get_shared_ciphers. It is in use. You can see this if you use
>> something like nm and grep for this function.
>> So is mod_ssl vulnerable? Is the functionality insulated and not
>> possible to trigger from the mod_ssl user scenario, or is it?
>> If anyone have any ideas please let me know!
> The symbol is not defined in mod_ssl on any of my Linux or Solaris
> systems, all of which are running Apache-2.0.55. What version are
> you looking at?
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List firstname.lastname@example.org
> Automated List Manager email@example.com
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com