On Sunday 13 April 2014 21:32:12 Nick Kew wrote: > On 14 Apr 2014, at 00:34, John Iliffe wrote: > > Here I am assuming that you are not using the O/S supplied OpenSSL > > version and that you are either updating Apache or don't have OpenSSL > > linked dynamically. > Nick: I'm not trying to be a pain in the ass here, I really do like Apache and it works well. I wasn't using the OpenSSL supplied by Red Hat as the maintenance contract for it has expired, so basically, I'm on my own. I think you might find that many small companies like ours are in the same position. Someone suggested exactly what you do here but it didn't work, and not knowing whether OpenSSL was dynamically linked (it is) when the update didn't work I made the wrong assumption. (not dynamically linked, which was wrong). My only defence is that I'm not a web specialist, or even very knowledgeable about it. > Aren't those assumptions alone sufficiently unusual (even idiosyncratic) > to take you beyond the scope of what Apache docs might reasonably be > expected to cover? > > For the regular user, you would just replace your vulnerable openssl > version in-situ. If it was O/S-supplied then use the relevant package > manager; if it's your own build then upgrade that. Either way, apache > is unaffected unless you did rather more than just replace a bleeding > heart OpenSSL version with a newly-patched one. > > Probably the most useful advice in your post, for those who might have > > vulnerable OpenSSL versions floating around, is how to check: > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > > > head /path to logfiles/error_log > > > > and check that the start message shows that the correct version of > > OpenSSL started. It is shown on the first line of the new log, just > > ahead of the command line for the starting httpd. > Good question. I would suggest in the SSL/TLS How-to at the need of the Basic Configuration Example section. Something to the effect that on first start up one should check that the version of OpenSSL that starts is the correct one. That also takes care of the situation where there is an error in the Apache configuration to make that is not caught. > I guess a note to that effect in our docs could indeed benefit the > worried. Where do you think would be a good place for such a note? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|