Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Security update seems to break mod_ssl.so module System
Apple really screwed me up when they updated mod_ssl.so to fix the security issue and did not patch Apache at the same time. I'm as security conscious as the next guy, so I just automatically applied Security Update 2003-03-24 when Software Update opened. At worst, I figured my httpd.conf file may have been displaced again. To my chagrin and surprise, I opened up my browser and went to my local host and clicked on an https link and got nothing as in 'This page contains no data.'

Well it took a little net searching to find out that Apple had updated the mod_ssl.so object and apparently it is incompatible with the Apple-supplied Apache binary. So using Pacifist, I managed to extract the original 10.2 mod_ssl.so file from the Jaguar install CD. I simply moved the new version somewhere else and 'sudo' copied the old one into /usr -> libexec -> httpd. After I restarted Apache, all is well, if a little less secure.

[robg adds: This is the first I've heard of this, and I don't run the module myself, so I can't really confirm the problem. A quick web search didn't turn anything up, so I'm posting this in the hopes that others can confirm or deny the problem and the solution.]
    •    
  • Currently 2.67 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[7,781 views]  

Security update seems to break mod_ssl.so module | 13 comments | Create New Account
Click here to return to the 'Security update seems to break mod_ssl.so module' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Security update seems to break mod_ssl.so module
Authored by: professor on Apr 03, '03 10:43:58AM

I can't verify this myself, as I've long since moved on to Apache 2.x.

But something doesn't sound right here. The update replaced the OpenSSL shared libraries with newer ones. This could break an old version of mod_ssl which was compiled against an older version of OpenSSL.

The update did not (according to Apple) replace mod_ssl so, unless your copy was pooched for some unrelated reason, replacing it from backup would not cure anything.

Downgrading your OpenSSL libraries, however, would be a very bad idea.



[ Reply to This | # ]
Security update seems to break mod_ssl.so module
Authored by: foniks2020 on Apr 04, '03 01:28:50AM

You make some valid points but according to the receipts, etc. the openssl libraries weren't updated, only libssl.so which was updated in binary form, precompiled against new openssl libraries... and to clarify, I believe I was running Apple's Apache binary as mod_hfs and mod_rendezvous worked w/o problem.

I wasn't sure about what was wrong until I read a post on Slashdot that mentioned the libssl.so update. Until then I thought I had a corrupted database or something.



[ Reply to This | # ]
Security update seems to break mod_ssl.so module
Authored by: tim1724 on Apr 03, '03 01:11:09PM

I run mod_ssl on my website and haven't noticed any problem. I'm using Apple's Apache, Apple's mod_ssl, Mac OS X 10.2.4, and all security updates. I set up SSL on my website with no problems last Monday and have been using it ever since.

Yes, Apple updated /usr/libexec/httpd/libssl.so (accordinng to the file listing in /Library/Receipts/SecurityUpd2003-03-24.pkg/Contents/Archive.bom) .. but it works just fine on my system. Are you sure you're using the Apple-supplied Apache?

---
--
Tim Buchheim

[ Reply to This | # ]

Security update seems to break mod_ssl.so module
Authored by: foniks2020 on Apr 04, '03 01:32:48AM

Did you create your cert and key files before or after the update AND have you restarted your webserver recently?



[ Reply to This | # ]
Having the same problem
Authored by: otterskip on Apr 03, '03 03:55:57PM

I'm having the same problem as the poster of the hint. mod_ssl is not working for me, though I can't pin the exact cause down to installing the security update as the last time I tried it was about a month ago.

According to the error_log mod_ssl is causing apache processes to segfault or bus error.

I'm using the mod_ssl setup as described at http://developer.apple.com/internet/macosx/modssl.html



[ Reply to This | # ]
Fixed in the same way
Authored by: otterskip on Apr 04, '03 06:34:50PM

Like the poster, I was able to replace the libssl.so file in /usr/libexec/httpd with the pre-update one and that fixed the problem. Still, curious why this happened.



[ Reply to This | # ]
Security update seems to break mod_ssl.so module
Authored by: foniks2020 on Apr 04, '03 01:18:22AM

I'd like to apologize for a mistake in my post... it was the Apache module libssl.so which caused the problem... and you can see that it was changed by going to /usr/libexec/httpd and checking the modification/creation date on libssl.so



[ Reply to This | # ]
I had the same problem
Authored by: Gwyrrdin on Apr 06, '03 09:00:39AM
Every call to mod_ssl caused apache to crash (the child process that is). The technique described works...One note however...the file you need to replace is called: libssl.so

My https is working like a charm again:)

[ Reply to This | # ]
problem showed up in SSLOptions
Authored by: kcunning on Apr 10, '03 09:58:09AM

Thanks! It was helpful to get the workaround, and now my site is back up. Whew!

In of my own attempts to figure out what was happening, I found that the real inaccessibility arose only when I had the +StdEnvVars or +CompatEnvVars options set in SSLOptions (I used these to be able to access user certificate data). That may be why some folks' SSL works and others don't after the update: perhaps it's only when you try to enable environmental variables that problems arise? (There may have been other, more subtle failures without SSLOptions, but it definitely sputtered out when EnvVars were involved.)

Does this bear true in your own cases?



[ Reply to This | # ]
problem showed up in SSLOptions
Authored by: foniks2020 on Apr 10, '03 06:39:58PM

I'm not familiar with SSLOptions so i don't really know what they do or don't do...

I'm glad you brought this up though as it appears that most of the people who are having this problem have set up their SSL from the Apple supplied KB article which if you copy and paste has these SSLOptions turned on (still not sure why).



[ Reply to This | # ]
problem showed up in SSLOptions
Authored by: foniks2020 on Apr 10, '03 06:51:17PM

Commenting out the lines referring to +StdEnvVars does indeed allow the new libssl.so binary to work.

So as a final update: if you don't need +StdEnvVars as an SSLOption then you should be able to simply comment or delete that part of you httpd.conf to get the new libssl.so from Apple to play nicely with Apache.

Following is the section i commented out... the Files and Directory 'directives'.


# <Files ~ "\.(cgi|shtml|phtml|php3?)$">
# SSLOptions +StdEnvVars
# </Files>

# <Directory "/xxx/xxx/xxx/cgi-bin/>
# SSLOptions +StdEnvVars
# </Directory>

# correction for browsers that don't always handle SSL connections well
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


RewriteEngine on
RewriteRule ^/(.*)-SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*)-NOSSL$ http://%{SERVER_NAME}/$1 [R,L]



[ Reply to This | # ]
problem showed up in SSLOptions
Authored by: Anonymous on Jun 23, '03 04:12:20PM

Yup. I just upgraded a machine to 10.2. SSL installed per the Apple Developer article worked fine, just as it had under 10.1.5. Then, I upgraded to 10.2.6 using the combined updater and it busted. I commented out those lines and --- voila! --- it's working again.

Thanks!

Steven



[ Reply to This | # ]
problem showed up in SSLOptions
Authored by: JohnAlbin on Apr 11, '03 01:11:54PM

You can see a list of environment variables that are added by the "SSLOptions +StdEnvVars" or "SSLOptions +CompatEnvVars" statements on the mod_ssl site (http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25.)

Most of these environment variables are pretty geeky. Fortunately, the variable most people use, HTTPS, which specifies whether SSL is being used or not, is already set by Apache without the +StdEnvVars or +CompatEnvVars settings.

Side note: Mac OS X 10.2.5 updates libssl.so yet again, but it doesn't fix the bus errors that occur when using +StdEnvVars or +CompatEnvVars.



[ Reply to This | # ]