in your case, you are checking mod_ssl for ssl version strings which points to openssl 1.1.X. as the machine where are you doing this check has openssl V3 installed and the library includes the backward compatibility libs for openssl, mod_ssl loads the 1.1.X libs via runtime linking, as its build against the 1.1.X headers.
if you need bleeding edge apache/ssl versions i would recommend switching to another platform for hosting webservers.
Original Message:
Sent: Thu September 21, 2023 08:50 AM
From: Vinny G
Subject: httpd 2.4.57
I'm trying to understand where the openssl vulnerabilities are coming from so I can update the packages. It looks like other people have the same question.
Vinny
------------------------------
Vincenzo Giambalvo
Original Message:
Sent: Thu September 21, 2023 04:35 AM
From: C- -T
Subject: httpd 2.4.57
you are expecting httpd is built against openssl V3 which is not the case.
its all written in the httpd spec file
* Fri Oct 21 2022 Ayappan P <ayappap2@in.ibm.com> - 2.4.54-3- Build with openssl 1.1.2 ( strong ciphers only )
------------------------------
I regret starting this entire conversation
Original Message:
Sent: Wed September 20, 2023 01:59 PM
From: Vincenzo Giambalvo
Subject: httpd 2.4.57
Hi Reshma
My understand was that openssl was complied into mod_ssl.
This is what my system reports.
# strings /opt/freeware/lib64/httpd/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.1.1l 24 Aug 2021
# /usr/bin/openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
# rpm -qa |grep httpd
httpd-2.4.56-1.ppc
# rpm -qa |grep mod_ssl
mod_ssl-2.4.56-1.ppc
Tenable reports
The version of OpenSSL installed on the remote host is prior to 1.1.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.1.1u advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1v. It is, therefore, affected by a vulnerability as referenced in the 1.1.1v advisory.
The version of OpenSSL installed on the remote host is prior to 1.1.1w. It is, therefore, affected by a vulnerability as referenced in the 1.1.1w advisory.
The remote web server type is :
Apache/2.4.56 (Unix) OpenSSL/1.1.1t
I thought was waiting for a new mod_ssl. Are you saying I need to wait until IBM has a new OpenSSL package?
Vinny
------------------------------
Vincenzo Giambalvo
Original Message:
Sent: Wed September 20, 2023 03:31 AM
From: RESHMA KUMAR
Subject: httpd 2.4.57
Hi Scott,
mod_ssl links dynamically to openssl. So, if you have the latest openssl installed, mod_ssl will make use of it.
It is not required to build mod_ssl with latest openssl.
------------------------------
RESHMA KUMAR
Original Message:
Sent: Tue September 19, 2023 11:35 AM
From: Scott Gruber
Subject: httpd 2.4.57
Actually we have done both.
Thanks
------------------------------
Scott Gruber
Original Message:
Sent: Tue September 19, 2023 11:22 AM
From: C- -T
Subject: httpd 2.4.57
when you are invested that big in ibm stuff , why are you posting your complaints in a public forum instead of talking to your service representive inside ibm?
------------------------------
I regret starting this entire conversation
Original Message:
Sent: Tue September 19, 2023 10:52 AM
From: Scott Gruber
Subject: httpd 2.4.57
So a while ago we were asking for mod_ssl to use OpenSSL 1.1.1u. Then tenable marked it as vulnerable and we then asked for mod_ssl to use OpenSSL 1.1.1v.
Now tenable has marked it as vulnerable and now we are asking for mod_ssl to use OpenSSL 1.1.1w.
We are in dire need as a major business with major investments in IBM technology where we need for IBM to take a more responsible approach to timely updates to OpenSSL , mod_ssl, httpd.
We need mod_ssl to use OpenSSL 1.1.1w ASAP. I truly believe with all of IBMs billions of profits that IBM can surely and appropriately designate a team just for this endeavor.
Thanks
------------------------------
Scott Gruber
Original Message:
Sent: Fri September 15, 2023 09:12 AM
From: Scott Gruber
Subject: httpd 2.4.57
Good Morning, Needing ETA on http/mod_ssl as tenable is calling out for an update.
it would be awesome if the updated http/mod_ssl could be released at the same time as OpenSSL - this would surely be the logical next step.
Thanks
------------------------------
Scott Gruber
------------------------------