Topic: OpenSSL Upgrade

[apacheparks]

Hi There
I am looking for some advice on upgrading Apache's OpenSSL implmentation without upgrading the Apache installation itself. Running Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g and wondered if this was possible. Would like to upgrade to latest version of OpenSSL.

Thanks

[glsmith]

I'll assume that Apache is installed via a .msi from Apache.org.

You may be able to but I am not sure it will do you too much good since the last .msi that was available is 2.2.25 OpenSSL/0.9.8y. 0.9.8 is safe from the HeartBleed attack but 0.9.8y is vulnerable to other things.

Apache 2.2.8 itself is vulnerable to the range headers attack (fixed in 2.2.20) which can bring down not just Apache but the entire computer requiring a reboot to recover.

Heck, look at this, not all of the SECURITY issues listed will affect you but some of the most egregious ones are. http://www.apache.org/dist/httpd/CHANGES_2.2

What is your concern about upgrading Apache?

[apacheparks]

Hi there

Thanks for the response. I can't upgrade the Apache version as we have an out of support application and the vendor says the Apache upgrade will break it! They are happy that the OpenSSL upgrade would be okay. The reason for the OpenSSL upgrade is that it was flagged up in a recent pen test and needs remediating.
I have read that someone just copied down the new OpenSSL files:
libeay32.dll
ssleay32.dll
openssl.exe
in the \Apache\bin\ directory

Thanks

[ng4win]

As far as I remember mod_ssl needs to be compiled against openssl of the same version, just replacing the binaries might not work.

The easiest solution is to backport apache, upgrade openssl and recompile, or put nginx in front of it

[glsmith]

I can help you out ... contact me.
https://www.apachehaus.com/index.php?option=com_contact&view=contact&id=2