shenson at opensslfoundation
Apr 20, 2012, 8:29 AM
Post #1 of 1
CVE-2012-2110 and mod_ssl.
A note about the impact of the potentially exploitable OpenSSL vulnerability
CVE-2012-2110 on mod_ssl.
The OCSP part of Apache 2.4 mod_ssl makes use of the d2i_OCSP_RESPONSE_bio call
which is affected. Since OCSP data relies on DNS it cannot be trusted and an
attacker could inject malicious data by this route if OCSP or OCSP stapling is
An alternative technique which would not rely on the OpenSSL upstream fix would
be to use d2i_OCSP_RESPONSE instead.
The mod_ssl code also makes use of the affected d2i_X509_bio and
d2i_PrivateKey_bio calls but these load certificates and keys for server
configuration and so the data should come from trusted sources.
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
shenson [at] opensslfoundation