Apache 2.4 Features
The Apache Foundation released version 2.4.1 of its popular web server, including a number of interesting changes [1]. Among the features, I would like to highlight some of the security relevant changes:
- more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.
- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don't think there is a simple fix for this problem.
- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache's implementation of these features has caused problems.
- Apache now includes a "mod_session" that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.
- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.
Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.
[1] http://httpd.apache.org/docs/2.4/new_features_2_4.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments