Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only
Expand all | Collapse all

httpd 2.4.57

  • 1.  httpd 2.4.57

    Posted 09/15/23 09:12 AM

    Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.

    it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------

    #AIXOpenSource


  • 2.  RE: httpd 2.4.57

    Posted 09/19/23 10:53 AM

    So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u.  Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v. 

    Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.  

    We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd. 

    We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.


    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 3.  RE: httpd 2.4.57

    Posted 09/19/23 11:22 AM

    when you are  invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 4.  RE: httpd 2.4.57

    Posted 09/19/23 11:35 AM

    Actually we have done both.

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 5.  RE: httpd 2.4.57

    Posted 09/20/23 03:31 AM

    Hi Scott,

    mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
    It is not required to build mod_ssl with latest openssl. 



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 6.  RE: httpd 2.4.57

    Posted 09/20/23 02:00 PM

    Hi Reshma

    My understand was that openssl was complied into mod_ssl.

    This is what my system reports.

    # strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
    OpenSSL 1.1.1l  24 Aug 2021

    # /usr/bin/openssl version
    OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

    # rpm -qa |grep httpd
    httpd-2.4.56-1.ppc
    # rpm -qa |grep mod_ssl
    mod_ssl-2.4.56-1.ppc


    Tenable reports
    The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
    The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
    The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.

    The remote web server type is :

    Apache/2.4.56 (Unix) OpenSSL/1.1.1t

    I thought was waiting for a new mod_ssl.  Are you saying I need to wait until IBM has a new OpenSSL package?

    Vinny



    ------------------------------
    Vincenzo Giambalvo
    ------------------------------



  • 7.  RE: httpd 2.4.57

    Posted 09/21/23 04:36 AM
    Edited by C- -T 09/21/23 04:36 AM

    you are expecting httpd is built against openssl V3 which is not the case. 

    its all written in the httpd spec file

    * Fri Oct 21 2022 Ayappan P <ayappap2@in.ibm.com> - 2.4.54-3
    - Build with openssl 1.1.2 ( strong ciphers only )



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 8.  RE: httpd 2.4.57

    Posted 09/21/23 08:50 AM

    I'm trying to understand where the openssl vulnerabilities are coming from so I can update the packages.  It looks like other people have the same question.

    Vinny



    ------------------------------
    Vincenzo Giambalvo
    ------------------------------



  • 9.  RE: httpd 2.4.57

    Posted 09/21/23 09:03 AM

    in your case, you are checking mod_ssl for ssl version strings which points to openssl 1.1.X. as the machine where are you doing this check has openssl V3 installed and the library includes the backward compatibility libs for openssl, mod_ssl loads the 1.1.X libs via runtime linking, as its build against the 1.1.X headers.

    if you need bleeding edge apache/ssl versions i would recommend switching to another platform for hosting webservers.



    ------------------------------
    I regret starting this entire conversation
    ------------------------------



  • 10.  RE: httpd 2.4.57

    Posted 09/22/23 01:04 AM
    Edited by RESHMA KUMAR 09/22/23 01:07 AM

    Hi Vinny,
    Yes, that is correct. You need to wait for the new version of Openssl to be released. If that is installed, mod_ssl will use it during runtime.
    As a point of information,  we have openssl 1.1.1v available.



    ------------------------------
    RESHMA KUMAR
    ------------------------------



  • 11.  RE: httpd 2.4.57

    Posted 09/22/23 03:13 AM

    openssl 1.1.1w has only one CVE fix ie., that is also for windows platform. So there is no plan from IBM to update openssl to 1.1.1w in AIX any time soon. 1.1.1v is already available in AIX web download pack programs. So installing openssl 1.1.1v will fix the problem. Tenable needs to be tuned to ignore the 1.1.1w advisory for AIX. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 12.  RE: httpd 2.4.57

    Posted 09/22/23 09:24 AM

    Interesting, so, the number of vulnerabilities determines IBM's interest to resolve ??? Being that OpenSSL is designed for security, even a single vulnerability is unacceptable. Please update to OpenSSL 1.1.1w.

    Thanks



    ------------------------------
    Scott Gruber
    ------------------------------



  • 13.  RE: httpd 2.4.57

    Posted 09/22/23 09:37 AM

    To make it more clear, openssl 1.1.1v is affected by only one CVE so far. That CVE affects only windows (Microsoft Windows) platform. So if you have openssl 1.1.1v installed in AIX or linux or any UNIX platform, then so far there is no known security vulnerabilities affecting this openssl 1.1.1v version. 



    ------------------------------
    Ayappan P
    ------------------------------



  • 14.  RE: httpd 2.4.57

    Posted 09/22/23 09:48 AM

    Thanks Ayappan for the clarification.



    ------------------------------
    Scott Gruber
    ------------------------------