semioticpixels scratch pad » ssl http://www.semioticpixels.com Sun, 23 May 2010 20:07:32 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 open ssl upgrade from ssl 2 -> ssl 3 http://www.semioticpixels.com/2009/10/open-ssl-upgrade-from-ssl-2-ssl-3/ http://www.semioticpixels.com/2009/10/open-ssl-upgrade-from-ssl-2-ssl-3/#comments Mon, 05 Oct 2009 17:18:32 +0000 admin http://www.semioticpixels.com/?p=74 I inherited a number of web servers that had been installed and configured by different contractors and am now in the process of evaluating what needs to happen to bring them all up to snuff as well as figuring out ways to streamline regular updates. Some of those web servers are still on Red 7.3 (!), the last free open source version of Red Hat. They’re quite old in server years. Additionally I have a few other servers I set up a year ago that are more up-to-date running Ubuntu 8 LTS, but the Apache version is 2.2.11 and 2.2.8. Our security scanning service notifies me regularly that SSL v 2 must be upgraded to SSL v3, which requires an upgrade to Apache 2.2.13

Environment:

Apache 1.3.29

References:

How to Disable SSL v 2 support in Apache

On Aug 10, 2009, Apache released an upgrade that addresses a DOS vulnerability.

server:

/usr/local/apache2/bin/httpd -v
# Server version: Apache/2.2.11 (Unix)
# Server built:   Jan 15 2009 13:39:20

dev server:

/usr/sbin/apache2 -v

Issues

  1. caused 401 error for all http requests (worked correctly for https connections) source
  2. Seem to be some issues with mac version – It’s unclear whether this is an issue with a pre-compiled mac version or a generic self-compiled (which should be identical to the linux version) source

Dev Server Tests

Ran apt-get update and apt-get upgrade on dev server

ran apt-get upgrade apache2 and message returned says that 2.2.8 is the current version. Which means my dev and my production servers are out of sync. I was surprised to learn that the last contractor from whom I took over server management had installed from source, removing Apache from package management. Not a big deal really, but it was undocumented.

In any case, there doesn’t appear to be a package release for Apache 2.2.13 yet in Ubuntu. Only one of the 4 bugfixes has a security bulletin attached, so I’ve decided to wait a few weeks to see if anything new transpires in the security bulletins. In general, I prefer to wait on updating production servers until a new release has been out long enough for bugfixes to be released.

]]> http://www.semioticpixels.com/2009/10/open-ssl-upgrade-from-ssl-2-ssl-3/feed/ 0