httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daryl Rose <>
Subject [users@httpd] Forcing openssl version 1.0.1m
Date Wed, 06 May 2015 16:17:48 GMT
Do to security vulnerabilities with OpenSSL, I've had to recompile Apache 2.4.12 with OpenSSL
version 1.0.1.m.
The team that controls the web servers doesn't want me to install into the same installation
directory, but rather into a separate directory.  They then copy config files and whatever
they need into the new installation and then start Apache from there.
I compiled from source on a separate server, then created a tarball which I dropped onto the
actual web servers.  
The first time that I did this, I did a "curl --head http://localhost" to verify the OpenSSL
version.  I got back that the OpenSSL version was still 1.0.1j.  So, I recompiled, verified
on the server that I used to compile on and verified that OpenSSL 1.0.1m was what was compiled
into Apache.  I then tarballed everything up, copied it over to the web servers, dropped into
place and turned over to the internet team.  I was just informed that OpenSSL is still pointed
to 1.0.1j.  
The only thing that I can think of is that the internet team must have something in a config
file somewhere that is actually calling OpenSSL  1.0.1j.  Can that be possible?  Other than
doing a "curl --head http://localhost", how can I tell what version of OpenSSL is being used?
View raw message