Jeff, On 4/18/14, 12:23 PM, Cabell, Jeff wrote: > I'm working on doing some upgrade testing to mitigate the Heartbleed > issue and some other vulnerabilities. Part of that is updating > OpenSSL, but I'm a bit confused about something and am hoping that > someone can help me. I've done at least a dozen internet searches > and can't find the answer. It's probably simple, but I'd like to > find out anyway. > > What do I need to do in order to update the version of OpenSSL that > is included in the Apache HTTP server release? I've installed > OpenSSL 1.0.1g on the server, but the older version is still in the > apache /bin directory. Do I simply replace the openssl executable or > is there some kind of change that needs to be made in the httpd.conf > file to point to the newer installation? OS? Since you said "executable" and not "binary", I should assume you are on Windows. If you are using Windows and downloaded the ASF-provided binary, it appears (just from the filename, I did nothing other than look at that) that it ships with OpenSSL 0.9.8y, which is not affected by Heartbleed. If you downloaded the "nossl" package, then you are don't have SSL or you have a separate OpenSSL package that you installed yourself (and it's up to you to figure out how to fix that). -chris
Attachment:
signature.asc
Description: OpenPGP digital signature
|