logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Hearbleed vulnerable on graceful restart after upgrade
Author
cin_adm



Joined: 24 Apr 2014
Posts: 3
Location: India

PostPosted: Thu 24 Apr '14 14:13    Post subject: Hearbleed vulnerable on graceful restart after upgrade Reply with quote

Hi,

I need some help on heartbleed related issue. After hartbleed vulnerability i have recompiled apache 2.4 with latest opessl (version 1.0.1g) using --with openssl configure switch. It worked fine and my server is now not vulnerable. But when i do a graceful restart it will become vulnerable again even though apachectl restart or start/stop works fine. How can i need to make graceful restart work with the new openssl. It is used by log rotation.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Thu 24 Apr '14 18:25    Post subject: Reply with quote

Did you install OpenSSL on your system as shared or just in apache?
Back to top
cin_adm



Joined: 24 Apr 2014
Posts: 3
Location: India

PostPosted: Fri 25 Apr '14 7:50    Post subject: Hearbleed vulnerable on graceful restart after upgrade Reply with quote

I installed openssl from source in the system and recompiled apache24 with new openssl source.

apachectl restart is fine but apachectl graceful and even sending a hup signal to already running process (not vulnerable) will make it heartbleed vulnerabile.

graceful is supposed to re read conf only right? I don’t know how this is happening on graceful restart
Back to top
jraute



Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany

PostPosted: Fri 25 Apr '14 10:52    Post subject: Reply with quote

My tests with a graceful restart do not show any problems towards heartbleed. But i didn't compile it myself.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 25 Apr '14 12:37    Post subject: Re: Hearbleed vulnerable on graceful restart after upgrade Reply with quote

cin_adm wrote:

graceful is supposed to re read conf only right?


Nope. It means that apache will serv all current connections and restart instead of restarting in the very moment. The default (ASF) apachectl can't just reload the config.

Some distros have a reload in the apachectl script which does a killproc httpd -HUP
Back to top
cin_adm



Joined: 24 Apr 2014
Posts: 3
Location: India

PostPosted: Fri 25 Apr '14 21:26    Post subject: Reply with quote

if we send kill -HUP signal to a running process also it will become vulnerable again. Do you think it is an issue with the libraries ?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 29 Apr '14 15:14    Post subject: Reply with quote

I guess you have an issue with your libs. if you compile apache yourself you have the option to compile SSL static into apache.
Back to top


Reply to topic   Topic: Hearbleed vulnerable on graceful restart after upgrade View previous topic :: View next topic
Post new topic   Forum Index -> Apache