Mailing List Archive: Apache: Users

Upgrading OpenSSL without upgrading Apache. Can it be done???

Index | Next | Previous | View Threaded

BFinkeldei at aaamissouri

Apr 24, 2012, 1:02 PM

Post #1 of 6 (430 views)
Permalink

Upgrading OpenSSL without upgrading Apache. Can it be done???

I have installed Apache HTTP Server with OpenSSL 0.9.8t (MSI Installer)
From the Apache.org Site.

Here is the file I downloaded and installed:
httpd-2.2.22-win32-x86-openssl-0.9.8t.msi

I want to upgrade OpenSSL on that machine without having to upgrade Apache
too.

How do I do that? step by step? Do i just need to get the binaries and
install them over the old files?
If so what files and locations, etc.. Never done it before and not sure
what to do.

Thanks,

Brad Finkeldei

mailinglist at theflux

Apr 24, 2012, 1:09 PM

Post #2 of 6 (406 views)
Permalink

Re: Upgrading OpenSSL without upgrading Apache. Can it be done??? [In reply to]

I'm assuming you're using some sort of Windows operating system. I haven't done one in a few years, but I would assume the 1.0 version from http://slproweb.com/products/Win32OpenSSL.html should work like installing any other Windows Installer. If someone else can't answer this, I'd suggest setting up a virtual environment and giving it a try before doing it on a production system.

On Apr 24, 2012, at 4:02 PM, BFinkeldei [at] aaamissouri wrote:

>
> I have installed Apache HTTP Server with OpenSSL 0.9.8t (MSI Installer) From the Apache.org Site.
>
> Here is the file I downloaded and installed: httpd-2.2.22-win32-x86-openssl-0.9.8t.msi
>
> I want to upgrade OpenSSL on that machine without having to upgrade Apache too.
>
> How do I do that? step by step? Do i just need to get the binaries and install them over the old files?
> If so what files and locations, etc.. Never done it before and not sure what to do.
>
> Thanks,
>
> Brad Finkeldei

BFinkeldei at aaamissouri

Apr 24, 2012, 1:17 PM

Post #3 of 6 (410 views)
Permalink

Re: Upgrading OpenSSL without upgrading Apache. Can it be done??? [In reply to]

TFML, Thanks for the info.

Yes I am on windows server 2003.... that looks like a great way to start
if you already have things seperated bu this is a combined version of
Apache and OpenSSL.... So, I am not sure.. I want to see if anyone else
knows?

TFML <mailinglist [at] theflux>
04/24/2012 03:09 PM
Please respond to
users [at] httpd

To
users [at] httpd
cc

Subject
Re: [users [at] http] Upgrading OpenSSL without upgrading Apache. Can it be
done???

I'm assuming you're using some sort of Windows operating system. I
haven't done one in a few years, but I would assume the 1.0 version from
http://slproweb.com/products/Win32OpenSSL.html should work like installing
any other Windows Installer. If someone else can't answer this, I'd
suggest setting up a virtual environment and giving it a try before doing
it on a production system.

On Apr 24, 2012, at 4:02 PM, BFinkeldei [at] aaamissouri wrote:

I have installed Apache HTTP Server with OpenSSL 0.9.8t (MSI Installer)
From the Apache.org Site.

Here is the file I downloaded and installed:
httpd-2.2.22-win32-x86-openssl-0.9.8t.msi

I want to upgrade OpenSSL on that machine without having to upgrade Apache
too.

How do I do that? step by step? Do i just need to get the binaries and
install them over the old files?
If so what files and locations, etc.. Never done it before and not sure
what to do.

Thanks,

Brad Finkeldei

wrowe at rowe-clan

Apr 24, 2012, 1:49 PM

Post #4 of 6 (404 views)
Permalink

Re: Upgrading OpenSSL without upgrading Apache. Can it be done??? [In reply to]

On 4/24/2012 3:09 PM, TFML wrote:
> I'm assuming you're using some sort of Windows operating system. I haven't done one in a
> few years, but I would assume the 1.0 version
> from http://slproweb.com/products/Win32OpenSSL.html should work like installing any other
> Windows Installer. If someone else can't answer this, I'd suggest setting up a virtual
> environment and giving it a try before doing it on a production system.

Just as on unix, you can never drop in a x.y.n change with a new x value.
That's called a major bump and usually does not work.

OP could obtain a 0.9.8X flavor later than 0.9.8t and aught to be fine so long
as no special build options were changed, and it was built to run against
msvcrt.dll (the *system* c library). It's the same quandry as on Ubuntu with
glibc vs eglibc packages.

If OP reviewed the patch release notes, they would be aware that an upgrade
is unnecessary between 0.9.8t and 0.9.8w for anyone running httpd 2.2. The
new features in httpd 2.4 were vulnerable to issues there, however.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

BFinkeldei at aaamissouri

Apr 24, 2012, 2:05 PM

Post #5 of 6 (405 views)
Permalink

Re: Upgrading OpenSSL without upgrading Apache. Can it be done??? [In reply to]

Great thanks for the info!

Where can I find out when apache.org will be bundling the latest version
of OpenSSL with apache? PCI compliance calls for using level "u" as of
today.

Brad Finkeldei

"William A. Rowe Jr." <wrowe [at] rowe-clan>
04/24/2012 03:49 PM
Please respond to
users [at] httpd

To
users [at] httpd
cc

Subject
Re: [users [at] http] Upgrading OpenSSL without upgrading Apache. Can it be
done???

On 4/24/2012 3:09 PM, TFML wrote:
> I'm assuming you're using some sort of Windows operating system. I
haven't done one in a
> few years, but I would assume the 1.0 version
> from http://slproweb.com/products/Win32OpenSSL.html should work like
installing any other
> Windows Installer. If someone else can't answer this, I'd suggest
setting up a virtual
> environment and giving it a try before doing it on a production system.

Just as on unix, you can never drop in a x.y.n change with a new x value.
That's called a major bump and usually does not work.

OP could obtain a 0.9.8X flavor later than 0.9.8t and aught to be fine so
long
as no special build options were changed, and it was built to run against
msvcrt.dll (the *system* c library). It's the same quandry as on Ubuntu
with
glibc vs eglibc packages.

If OP reviewed the patch release notes, they would be aware that an
upgrade
is unnecessary between 0.9.8t and 0.9.8w for anyone running httpd 2.2. The
new features in httpd 2.4 were vulnerable to issues there, however.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

wrowe at rowe-clan

Apr 24, 2012, 2:21 PM

Post #6 of 6 (402 views)
Permalink

Re: Upgrading OpenSSL without upgrading Apache. Can it be done??? [In reply to]

On 4/24/2012 4:05 PM, BFinkeldei [at] aaamissouri wrote:
>
> Great thanks for the info!
>
> Where can I find out when apache.org will be bundling the latest version of OpenSSL with
> apache? PCI compliance calls for using level "u" as of today.

If you had read the notices from the OpenSSL project you would be aware
that the particular flaws in openssl 0.9.8 .u, .v and .w do not pertain
to the operation or deployment of httpd 2.2.x. They do apply to the
operation of httpd 2.4, and adminstrators of 2.4 should upgrade ASAP.
(And if you were running 2.3-beta, upgrading httpd to 2.4 would be a very
wise move as well for httpd security flaws).

AFAIK only the windows binary 'bundles' openssl. As that binary is not
affected it will not be updated, certainly not unless an httpd 2.2.23 is
released.

The ASF provides binaries only as a convenience and at our leisure; if
you are professionally responsible for an installation of httpd, openssl
and so forth which you refuse to compile yourself, you would probably
benefit from contracting for the services you are demanding. The ASF
is here to collaboratively produce source code.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads