please reply if you can: this is a serious openssl vulnerability: here is the log: [Fri Nov 22 11:08:33 2002] [error] [client 164.77.208.74] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Fri Nov 22 11:08:43 2002 : 64.86.0.229] domain silvercrest.ca rar 29 (24502) [Fri Nov 22 11:08:46 2002] [error] server reached MaxClients setting, consider raising the MaxClients setting [Fri Nov 22 11:13:42 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:42 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:46 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:47 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:48 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:49 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake failed (server venus.cira.ca:443, client 164.77.208.74) (OpenSSL library error foll\ ows) [Fri Nov 22 11:13:50 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443) [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client 164.77.208.74, server venus.cira.ca:443)
server crash!!!!! -----Original Message----- From: ervin ruci [mailto:[EMAIL PROTECTED]] Sent: Friday, November 22, 2002 10:46 AM To: Richard Levitte - VMS Whacker; [EMAIL PROTECTED] Subject: RE: Beta 4 of OpenSSL 0.9.7 what is actually of greater urgence for me is an openssl vulnerability that allows clients to just open the connection and leave it hanging hence forcing my web server to reach its maxclients setting and crash. this problem was addressed by openssl version g for the linux platform, but on solaris the vulnerability still exists with this version. that's why i went to try the beta version in the first place, hoping you would have taken care of this. -----Original Message----- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 21, 2002 4:32 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Beta 4 of OpenSSL 0.9.7 In message <[EMAIL PROTECTED]> on Thu, 21 Nov 2002 12:09:56 -0500, "ervin ruci" <[EMAIL PROTECTED]> said: ruci> tried Beta 4 of OpenSSL 0.9.7 and apache/mod_ssl. i can't restart the web ruci> server. ruci> ruci> Syntax error on line 53 of /usr/local/apache+sharedmm/conf/httpd.conf: ruci> Cannot load /usr/local/apache+sharedmm/libexec/libssl.so into server: ruci> ld.so.1: /usr/local/apache+sharedmm/bin/httpd: fatal: relocation error: file ruci> /usr/local/apache+sharedmm/libexec/libssl.so: symbol sk_new_null: referenced ruci> symbol not found ruci> ./apachectl start: httpd could not be started Hmm, you probably need to set up LD_LIBRARY_PATH or similar to point at /usr/local/apache+sharedmm/libexec, so libcrypto.so can be loaded as well... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]