SPDY module 'seems' to generate false-positives (but it's NOT!)

[shoenix]

After some testing I found out the test tool tests your Apache vulnerable when you have the SPDY module enabled even when you have disabled heartbeats in OpenSSL or are running a correct version of OpenSSL.

[bwspath]

Mod speedy is compiled with --static for most distros. So your shared libs are ok but not used by mod spdy at compile time.. recompile the mod or disable and wait for an update.

Update: on some of our servers disabeling it didn't even make a difference so i would reccomend removing it till either you recompile or get an uptodate version!

[shoenix]

I actually think mod_ssl_with_npn.so (packaged with spdy) is the culprid. Is should be mod_ssl with 1 small extra patch according to the description, but size wise it's 11x bigger so I suspect this is due to static linking. You need to disable this module separately from mod_spdy.

[bwspath]

but we can agree that its not a false positive? its actually using compromised openssl libs be it not in mod spdy then :)

[shoenix]

Yes, it's definitly NOT a false positive! It only 'seems' like it because you think you updated all libraries and restarted. Filippo already added SPDY to the FAQ on his site.

So to be absolutely clear : If you scan Vulnerable with SPDY, you ARE affected and need to disable SPDY, recompile it against a correct openssl version or wait until a proper version is released!

[docwhat]

@FiloSottile or @shoenix

Suggestion: change the title to add " (but are not)" to the end. Just so nobody is confused by scanning the issues.

[shoenix]

Thought the 'seems' implied this, but changed as per request :)

[shoenix]

For what it's worth, I just confirmed: It's mod_ssl_with_npn.so. Just checked out the code, only built the mod_ssl_with_npn.so replaced it and the problem is solved.