Yes. Windows Server 2008. Thanks to other vulnerabilities that were apparently located on the last security scan, I have been instructed to upgrade to 1.0.1g. We're currently running a 0.9.8 version. So I really need to find out what needs to be done for Apache to use the newer version of openssl And while on the subject, can anyone tell me why the download page, and mirrors for Apache 2.4.9 and 2.2.27 only contain 2.0.65 and 2.2.25? Jeff, On 4/18/14, 12:23 PM, Cabell, Jeff wrote: > I'm working on doing some upgrade testing to mitigate the Heartbleed > issue and some other vulnerabilities. Part of that is updating > OpenSSL, but I'm a bit confused about something and am hoping that > someone can help me. I've done at least a dozen internet searches and > can't find the answer. It's probably simple, but I'd like to find out > anyway. > > What do I need to do in order to update the version of OpenSSL that is > included in the Apache HTTP server release? I've installed OpenSSL > 1.0.1g on the server, but the older version is still in the apache > /bin directory. Do I simply replace the openssl executable or is > there some kind of change that needs to be made in the httpd.conf file > to point to the newer installation? OS? Since you said "executable" and not "binary", I should assume you are on Windows. If you are using Windows and downloaded the ASF-provided binary, it appears (just from the filename, I did nothing other than look at that) that it ships with OpenSSL 0.9.8y, which is not affected by Heartbleed. If you downloaded the "nossl" package, then you are don't have SSL or you have a separate OpenSSL package that you installed yourself (and it's up to you to figure out how to fix that). -chris * Unknown Key * 0xA53CA458 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|