logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Critical Security Vulnerabilty: Upgrade to OpenSSL 1.0.1g Page Previous  1, 2
Author
mparamas



Joined: 09 Apr 2014
Posts: 1
Location: US/Indianapolis

PostPosted: Wed 09 Apr '14 20:42    Post subject: PHP 5.5.11 with OpenSSL 1.0.1f Reply with quote

admin wrote:
Stop apache and/or apachemonitor

Copy all files over, except (config) files you changed

Start apache


Thanks. Updated from Apache2.4.8. Now I have:
Apache/2.4.9 (Win64) OpenSSL/1.0.1g PHP/5.5.11
(Everything works without having to get CA certificates re-issued.)

However PHP 5.5.11 reports 1.0.1f in OpenSSL Header Version, as shown below:

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1g 7 Apr 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014

I am bring this to your attention.
Back to top
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Thu 10 Apr '14 21:14    Post subject: Reply with quote

admin wrote:
Stop apache and/or apachemonitor

Copy all files over, except (config) files you changed

Start apache


I have few 2.4.3 instances which i would like not to upgrade to 2.4.9 but fix openssl only - should i replace the dlls only or/and mod_ssl.so as well ?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Thu 10 Apr '14 21:27    Post subject: Reply with quote

For The Heartbleed Bug you should be fine by only replacing the dll's. (I removed the note). Must say that I did not tested it.

Btw. Upgrading by copying 2.4.9 over cost the same time. And 2.4.9 has huge fixes/improvements over 2.4.3.
Back to top
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Thu 10 Apr '14 21:49    Post subject: Reply with quote

You are right Steffen about the cost/time of upgrade. The problem is that i had quite complicated configuration with lot of different modules and i'm not sure of their stability under 2.4.9. As you probably know (because of my posts on this forum), most of my instances are under heavy load, i would like to avoid unecessary downtimes because of unstable/not working properly modules etc.

Should i also change mod_ssl.so file ?

Would it be compatibile/stable if i take mod_ssl.so from 2.4.9 which is V11 compiled, and use it with 2.4.3 which is V10 (or V9?) compiled ?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Thu 10 Apr '14 21:54    Post subject: Reply with quote

I meant take only the dll's and exe's in the /bin folder form the 1.0.1g zip with date April 2014. Do not mix VC10 VC11 in this case.
Back to top
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Thu 10 Apr '14 22:01    Post subject: Reply with quote

Ok. Last question - I have 2.4.3-x64 version (built Aug/18/2012 from apachelounge) with 1.0.1c SSL. Is it enough to replace libeay32.dll ssleay32.dll and openssl.exe in bin directory with the dlls and exe from 2.4.9 x64 ?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 10 Apr '14 23:04    Post subject: Reply with quote

I do not think that works because mod_ssl is also linked against libeay32 & ssleay32 DLLs. So take modules/mod_ssl also .... you will gain the changes to it as well.
Back to top
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Thu 10 Apr '14 23:27    Post subject: Reply with quote

Should i take files from 2.4.9 V10 or V11 ?

Edit : When i tried of replacing the mod_ssl.so with dlls and exe i got this error :

Code:

httpd.exe: Syntax error on line 162 of C:/Apache24/conf/httpd.conf: Cannot l
modules/mod_ssl.so into server: The specified procedure could not be found.


I had left the mod_ssl.so untouched, upgrading the dlls and exe only - it worked.

Update :

1. Upgrade 2.4.3 64bit V10 not working with dlls+exe from 2.4.9 64bit V11

2. Upgrade 2.4.9 64bit V11 (ssl - 1.0.1f) working with dlls+exe from 2.4.9 64bit V11 (ssl - 1.0.1g).

BTW : Really nice piece of article about this issue - http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html


Last edited by Qmpeltaty on Fri 11 Apr '14 0:32; edited 2 times in total
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 11 Apr '14 0:05    Post subject: Reply with quote

I always advise matching VC versions, regardless of what MS or anyone may say. So if your 2.4.3 is built with VC10, use the 2.4.9 VC10.

However, if that is what you did which did not work, and just upgrading the OpenSSL files worked, stick with that then.
Back to top
NewEraCracker



Joined: 23 Aug 2010
Posts: 36

PostPosted: Sat 12 Apr '14 1:54    Post subject: Reply with quote

Hello,

Thanks for the update. I have applied it in my server without any problems.

From what I could see from a quick compare, the files that were changed in distribution are:
abs.exe
libeay32.dll
openssl.exe
ssleay32.dll
modules/mod_ssl.so

Regards,
NewEraCracker
Back to top
CamaroSS



Joined: 24 Jan 2013
Posts: 78
Location: RF, Tver

PostPosted: Wed 16 Apr '14 8:30    Post subject: Reply with quote

Just curious, if this issue has any practical meaning with Apache on Windows, since there is one thread per connection?
Back to top


Reply to topic   Topic: Critical Security Vulnerabilty: Upgrade to OpenSSL 1.0.1g View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout Page Previous  1, 2