Bug 23956

Summary: mod_ssl should report actual OpenSSL version
Product: Apache httpd-2 Reporter: Eric Seidel <eseidel>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P3    
Version: 2.0.47   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Eric Seidel 2003-10-20 20:48:06 UTC
mod_ssl (both 1.3.x and 2.x) currently uses the SSL_LIBRARY_TEXT define instead of the 
SSLeay_version() function to determine the version number of OpenSSL which it is using.

This is bad because here the mod_ssl binary is carrying the OpenSSL version number instead of 
querying the version of OpenSSL it's using.  This can lead to confusion (especailly security related), if 
for example an administrator patches OpenSSL to be 3.4.d instead of 3.4.a, to work around known 
mod_ssl related vulnerabilities in OpenSSL.

Even though the system has been properly patched, it will still report the old (mod_ssl compiled in) 
version number to Scanning software etc.

Our customers complained, and we have fixed the following in our version of Apache... however I feel 
this change would make sense up-stream as well.

I've attached a diff against 1.3.28:

The 2.1.x diff is nearly identical, only different line numbers.  Simply replace the one instance of 
"SSL_LIBRARY_TEXT" in ssl_engine_vars.c  with "SSLeay_version(SSLEAY_VERSION)".

Thanks for your time.

RCS file: /cvs/root/apache_mod_ssl/mod_ssl/pkg.sslmod/ssl_engine_vars.c,v
retrieving revision
diff -u -r1.1.1.8 ssl_engine_vars.c
--- ssl_engine_vars.c   2003/07/25 02:32:10
+++ ssl_engine_vars.c   2003/10/20 20:36:34
@@ -617,7 +617,7 @@
         result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
     else if (strEQ(var, "LIBRARY")) {
-        result = ap_pstrdup(p, SSL_LIBRARY_TEXT);
+        result = ap_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
         if ((cp = strchr(result, ' ')) != NULL) {
             *cp = '/';
             if ((cp2 = strchr(cp, ' ')) != NULL)
cvs server: Diffing mod_ssl/pkg.sslsup
Comment 1 Jeff Trawick 2003-10-20 22:37:22 UTC
Thanks for the patch.  Note that to get a change in the independent mod_ssl that
works with Apache 1.3, talk to the folks that maintain it (www.modssl.org).  It
seems clear from your description what we need to do with 2.1 and 2.0.
Comment 2 Joe Orton 2003-11-25 21:13:31 UTC
Committed to HEAD, will propose for backport to 2.0.  Thanks for the patch.