httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: [users@httpd] mod ssl
Date Mon, 14 Apr 2014 01:32:12 GMT

On 14 Apr 2014, at 00:34, John Iliffe wrote:

> Here I am assuming that you are not using the O/S supplied OpenSSL version 
> and that you are either updating Apache or don't have OpenSSL linked 
> dynamically.

Aren't those assumptions alone sufficiently unusual (even idiosyncratic)
to take you beyond the scope of what Apache docs might reasonably be
expected to cover?

For the regular user, you would just replace your vulnerable openssl
version in-situ.  If it was O/S-supplied then use the relevant package
manager; if it's your own build then upgrade that.  Either way, apache
is unaffected unless you did rather more than just replace a bleeding
heart OpenSSL version with a newly-patched one.

Probably the most useful advice in your post, for those who might have
vulnerable OpenSSL versions floating around, is how to check:

> Start Apache (apachectl -k start) and HTTPD should come up.  Now do:
> head /path to logfiles/error_log
> and check that the start message shows that the correct version of OpenSSL 
> started.  It is shown on the first line of the new log, just ahead of the 
> command line for the starting httpd.

I guess a note to that effect in our docs could indeed benefit the worried.
Where do you think would be a good place for such a note?

Nick Kew

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message