top button
Flag Notify
Site Registration

[HeartBleed] Apache and Upgrading OpenSSL

+1 vote
529 views

I'm working on doing some upgrade testing to mitigate the Heartbleed issue and some other vulnerabilities. Part of that is updating OpenSSL, but I'm a bit confused about something and am hoping that someone can help me. I've done at least a dozen internet searches and can't find the answer. It's probably simple, but I'd like to find out anyway.

What do I need to do in order to update the version of OpenSSL that is included in the Apache HTTP server release? I've installed OpenSSL 1.0.1g on the server, but the older version is still in the apache /bin directory. Do I simply replace the openssl executable or is there some kind of change that needs to be made in the httpd.conf file to point to the newer installation?

posted Apr 18, 2014 by Bob Wise

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

Since you said "executable" and not "binary", I should assume you are on Windows. If you are using Windows and downloaded the ASF-provided binary, it appears (just from the filename, I did nothing other than look at that) that it ships with OpenSSL 0.9.8y, which is not affected by Heartbleed.

If you downloaded the "nossl" package, then you are don't have SSL or you have a separate OpenSSL package that you installed yourself (and it's up to you to figure out how to fix that).

answer Apr 18, 2014 by Satish Mishra
Similar Questions
+1 vote

We have Apache 2.2.22 (Win32) on a Windows 2008 64 bit server. It currently has OpenSSL 0.9.8.

We are trying to apply the OpenSSL 1.0.1h on the same, after applying the open SSL and copying the relevant files to the bin directory of apache server, we are not able to start the server. It gives an mod_sso error.

Any Suggestions?

+2 votes

I am trying to compile httpd-2.4.7 from source, but i get the following error

"#error mod_ssl requires OpenSSL 0.9.8a or later"

But my installed openssl version is openssl-1.0.1e and I have specified it --with-ssl option.
Any suggestions?

+1 vote

My custom openssl engine works fine, tested it many times. I wanted to test it using mod_ssl, but needed a patch to enable dynamic engine support.
Now the problem is, I get a segmentation fault, whenever rsa methods in my custom openssl engine is called. I am using apache 2.4, and openssl 0.9.8e. Has anyone experienced it before?

...