On Nov 15, 2007, at 11:43 AM, Rahul S. Johari wrote:
Ave,
I was actually referred to this Mailing List by someone in the PHP
General Mailing List. (If you're here as well, Hi!)
I have Mac OS X 10.5 Leopard running on my PowerMac G5 with Apache
Web Server 2.2.26 and PHP 5.2.4
We recently ran a security/vulnerabilities scan on our server using
a service and came up with some potential vulnerabilities. I was
able to resolve all those vulnerabilities except one:
Netscape/OpenSSL Cipher Forcing Bug
THREAT:
Netscape's SSLv3 implementation had a bug where if a SSLv3
connection is initially established, the first available cipher is
used. If a session is resumed, a
different cipher may be chosen if it appears in the passed cipher
list before the session's current cipher. This bug can be used to
change ciphers on the server.
OpenSSL contains this bug if the
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during
runtime. This option was introduced for
compatibility reasons.
This is the Solution they recommended:
This problem can be fixed by disabling the
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option from the options
list of OpenSSL's libssl library.
This can be done by replacing the SSL_OP_ALL definition in the
openssl/ssl.h file with the following line:
#define SSL_OP_ALL
(0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
The library and all programs using this library need to be
recompiled to ensure that the correct OpenSSL library is used
during linking.
My problem is, I'm not an expert in *nix, and I usually like to
stay away from compiling & recompiling - I especially do *Not* want
to recompile Apache Web Server. So my question is - Is there any
way to implement this solution, or any solution for this problem,
without having to recompile anything?
There's no reason to suspect this vulnerability even applies on OS X.
-dhan
------------------------------------------------------------------------
Dan Shoop
Computer Scientist
iWiring / U.S. Technical Services
