httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Iliffe <john.ili...@iliffe.ca>
Subject Re: [users@httpd] Forcing openssl version 1.0.1m
Date Thu, 07 May 2015 00:26:56 GMT
Look at the first entry in the error log when you restart Apache.  It should 
show the version of OpenSSL and whether it started properly.

John
========================================
On Wednesday 06 May 2015 12:17:48 Daryl Rose wrote:
> Do to security vulnerabilities with OpenSSL, I've had to recompile
> Apache 2.4.12 with OpenSSL version 1.0.1.m. The team that controls the
> web servers doesn't want me to install into the same installation
> directory, but rather into a separate directory.  They then copy config
> files and whatever they need into the new installation and then start
> Apache from there. I compiled from source on a separate server, then
> created a tarball which I dropped onto the actual web servers. The
> first time that I did this, I did a "curl --head http://localhost" to
> verify the OpenSSL version.  I got back that the OpenSSL version was
> still 1.0.1j.  So, I recompiled, verified on the server that I used to
> compile on and verified that OpenSSL 1.0.1m was what was compiled into
> Apache.  I then tarballed everything up, copied it over to the web
> servers, dropped into place and turned over to the internet team.  I
> was just informed that OpenSSL is still pointed to 1.0.1j. The only
> thing that I can think of is that the internet team must have something
> in a config file somewhere that is actually calling OpenSSL  1.0.1j. 
> Can that be possible?  Other than doing a "curl --head
> http://localhost", how can I tell what version of OpenSSL is being
> used? Thanks
> Daryl

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message