Bug 23956 - mod_ssl should report actual OpenSSL version
Summary: mod_ssl should report actual OpenSSL version
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0.47
Hardware: All All
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2003-10-20 20:48 UTC by Eric Seidel
Modified: 2004-11-16 19:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel 2003-10-20 20:48:06 UTC
mod_ssl (both 1.3.x and 2.x) currently uses the SSL_LIBRARY_TEXT define instead of the 
SSLeay_version() function to determine the version number of OpenSSL which it is using.

This is bad because here the mod_ssl binary is carrying the OpenSSL version number instead of 
querying the version of OpenSSL it's using.  This can lead to confusion (especailly security related), if 
for example an administrator patches OpenSSL to be 3.4.d instead of 3.4.a, to work around known 
mod_ssl related vulnerabilities in OpenSSL.

Even though the system has been properly patched, it will still report the old (mod_ssl compiled in) 
version number to Scanning software etc.

Our customers complained, and we have fixed the following in our version of Apache... however I feel 
this change would make sense up-stream as well.

I've attached a diff against 1.3.28:

The 2.1.x diff is nearly identical, only different line numbers.  Simply replace the one instance of 
"SSL_LIBRARY_TEXT" in ssl_engine_vars.c  with "SSLeay_version(SSLEAY_VERSION)".

Thanks for your time.

RCS file: /cvs/root/apache_mod_ssl/mod_ssl/pkg.sslmod/ssl_engine_vars.c,v
retrieving revision
diff -u -r1.1.1.8 ssl_engine_vars.c
--- ssl_engine_vars.c   2003/07/25 02:32:10
+++ ssl_engine_vars.c   2003/10/20 20:36:34
@@ -617,7 +617,7 @@
         result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION);
     else if (strEQ(var, "LIBRARY")) {
-        result = ap_pstrdup(p, SSL_LIBRARY_TEXT);
+        result = ap_pstrdup(p, SSLeay_version(SSLEAY_VERSION));
         if ((cp = strchr(result, ' ')) != NULL) {
             *cp = '/';
             if ((cp2 = strchr(cp, ' ')) != NULL)
cvs server: Diffing mod_ssl/pkg.sslsup
Comment 1 Jeff Trawick 2003-10-20 22:37:22 UTC
Thanks for the patch.  Note that to get a change in the independent mod_ssl that
works with Apache 1.3, talk to the folks that maintain it (www.modssl.org).  It
seems clear from your description what we need to do with 2.1 and 2.0.
Comment 2 Joe Orton 2003-11-25 21:13:31 UTC
Committed to HEAD, will propose for backport to 2.0.  Thanks for the patch.