mod_ssl (both 1.3.x and 2.x) currently uses the SSL_LIBRARY_TEXT define instead of the SSLeay_version() function to determine the version number of OpenSSL which it is using. This is bad because here the mod_ssl binary is carrying the OpenSSL version number instead of querying the version of OpenSSL it's using. This can lead to confusion (especailly security related), if for example an administrator patches OpenSSL to be 3.4.d instead of 3.4.a, to work around known mod_ssl related vulnerabilities in OpenSSL. Even though the system has been properly patched, it will still report the old (mod_ssl compiled in) version number to Scanning software etc. Our customers complained, and we have fixed the following in our version of Apache... however I feel this change would make sense up-stream as well. I've attached a diff against 1.3.28: The 2.1.x diff is nearly identical, only different line numbers. Simply replace the one instance of "SSL_LIBRARY_TEXT" in ssl_engine_vars.c with "SSLeay_version(SSLEAY_VERSION)". Thanks for your time. RCS file: /cvs/root/apache_mod_ssl/mod_ssl/pkg.sslmod/ssl_engine_vars.c,v retrieving revision 1.1.1.8 diff -u -r1.1.1.8 ssl_engine_vars.c --- ssl_engine_vars.c 2003/07/25 02:32:10 1.1.1.8 +++ ssl_engine_vars.c 2003/10/20 20:36:34 @@ -617,7 +617,7 @@ result = ap_psprintf(p, "mod_ssl/%s", MOD_SSL_VERSION); } else if (strEQ(var, "LIBRARY")) { - result = ap_pstrdup(p, SSL_LIBRARY_TEXT); + result = ap_pstrdup(p, SSLeay_version(SSLEAY_VERSION)); if ((cp = strchr(result, ' ')) != NULL) { *cp = '/'; if ((cp2 = strchr(cp, ' ')) != NULL) cvs server: Diffing mod_ssl/pkg.sslsup
Thanks for the patch. Note that to get a change in the independent mod_ssl that works with Apache 1.3, talk to the folks that maintain it (www.modssl.org). It seems clear from your description what we need to do with 2.1 and 2.0.
Committed to HEAD, will propose for backport to 2.0. Thanks for the patch. http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_vars.c.diff?r1=1.27&r2=1.28