Bug 23956

mod_ssl (both 1.3.x and 2.x) currently uses the SSL_LIBRARY_TEXT define instead of the 
SSLeay_version() function to determine the version number of OpenSSL which it is using.

This is bad because here the mod_ssl binary is carrying the OpenSSL version number instead of 
querying the version of OpenSSL it's using.  This can lead to confusion (especailly security related), if 
for example an administrator patches OpenSSL to be 3.4.d instead of 3.4.a, to work around known 
mod_ssl related vulnerabilities in OpenSSL.

Even though the system has been properly patched, it will still report the old (mod_ssl compiled in) 
version number to Scanning software etc.

Our customers complained, and we have fixed the following in our version of Apache... however I feel 
this change would make sense up-stream as well.

I've attached a diff against 1.3.28:

The 2.1.x diff is nearly identical, only different line numbers.  Simply replace the one instance of 
"SSL_LIBRARY_TEXT" in ssl_engine_vars.c  with "SSLeay_version(SSLEAY_VERSION)".

Thanks for your time.

RCS file: /cvs/root/apache_mod_ssl/mod_ssl/pkg.sslmod/ssl_engine_vars.c,v
retrieving revision 1.1.1.8
diff -u -r1.1.1.8 ssl_engine_vars.c
--- ssl_engine_vars.c   2003/07/25 02:32:10     1.1.1.8
+++ ssl_engine_vars.c   2003/10/20 20:36:34
@@ -617,7 +617,7 @@
         result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
     }
     else if (strEQ(var, "LIBRARY")) {
-        result = ap_pstrdup(p, SSL_LIBRARY_TEXT);
+        result = ap_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
         if ((cp = strchr(result, ' ')) != NULL) {
             *cp = '/';
             if ((cp2 = strchr(cp, ' ')) != NULL)
cvs server: Diffing mod_ssl/pkg.sslsup