I am creating a test server that is vulnerable to the heartbleed bug.
My server is running Apache 2.4 on a FreeBSD VM. By default, FreeBSD seems to have OpenSSL 0.9.8 installed by default. I tried to uninstall OpenSSL from the ports, but since I didn't install it via ports( came by default ) I could not uninstall it that way.
Then I tried to just ignore it and installed OpenSSL 1.0.1 from source; but when I restarted the apache server, and checked the site using curl --head 127.0.0.1
"OpenSSL 0.9.8" was displayed.
Then I tried to reinstall/reconfigure apache but the same test yielded "OpenSSL 0.9.8".
So, I tried to replace the default OpenSSL like so:
– installed a newer OpenSSL via ports( in an attempt to replace the default version )
– make uninstall-ed the port-installed OpenSSL( in an attempt to erase the default OpenSSL completely )
– with my source-install the only one left, I figured that this had to have changed it
– the test still yielded "OpenSSL 0.9.8"( sadness )
So, why is it still displaying "OpenSSL 0.9.8"?
I also want to change the website to use OpenSSL 1.0.1, so advice on that would be helpful.
Best Answer
The missing step is that you must say to the system that you want to use OpenSSL from ports over the one from the base system:
build OpenSSL from ports:
create/add to your
/etc/make.conf
the following line:then re-install all the other modules needing OpenSSL (
devel/apr1
,www/apache24
, ...)you can check the OpenSSL lib used by apache24 (in fact the apache24 mod_ssl module):
The apache24 mod_ssl is now using the OpenSSL library from the ports.