|
Do to security vulnerabilities with OpenSSL, I've had to recompile Apache 2.4.12 with OpenSSL version 1.0.1.m.
The team that controls the web servers doesn't want me to install into the same installation directory, but rather into a separate directory. They then copy config files and whatever they need into the new installation and then start Apache from there. I compiled from source on a separate server, then created a tarball which I dropped onto the actual web servers. The first time that I did this, I did a "curl --head http://localhost" to verify the OpenSSL version. I got back that the OpenSSL version was still 1.0.1j. So, I recompiled, verified on the server that I used to compile on and verified that OpenSSL 1.0.1m was what was compiled into Apache. I then tarballed everything up, copied it over to the web servers, dropped into place and turned over to the internet team. I was just informed that OpenSSL is still pointed to 1.0.1j. The only thing that I can think of is that the internet team must have something in a config file somewhere that is actually calling OpenSSL 1.0.1j. Can that be possible? Other than doing a "curl --head http://localhost", how can I tell what version of OpenSSL is being used? Thanks Daryl |
|