Freebsd – Why is the server displaying openssl 0.9.8 when I have openssl1.0.1 installed

apache-2.4freebsdopenssl

I am creating a test server that is vulnerable to the heartbleed bug.

My server is running Apache 2.4 on a FreeBSD VM. By default, FreeBSD seems to have OpenSSL 0.9.8 installed by default. I tried to uninstall OpenSSL from the ports, but since I didn't install it via ports( came by default ) I could not uninstall it that way.

Then I tried to just ignore it and installed OpenSSL 1.0.1 from source; but when I restarted the apache server, and checked the site using curl --head 127.0.0.1 "OpenSSL 0.9.8" was displayed.

Then I tried to reinstall/reconfigure apache but the same test yielded "OpenSSL 0.9.8".

So, I tried to replace the default OpenSSL like so:
– installed a newer OpenSSL via ports( in an attempt to replace the default version )
– make uninstall-ed the port-installed OpenSSL( in an attempt to erase the default OpenSSL completely )
– with my source-install the only one left, I figured that this had to have changed it
– the test still yielded "OpenSSL 0.9.8"( sadness )

So, why is it still displaying "OpenSSL 0.9.8"?

I also want to change the website to use OpenSSL 1.0.1, so advice on that would be helpful.

Best Answer

The missing step is that you must say to the system that you want to use OpenSSL from ports over the one from the base system:

  • build OpenSSL from ports:

  • create/add to your /etc/make.conf the following line:

    WITH_OPENSSL_PORT=yes

  • then re-install all the other modules needing OpenSSL (devel/apr1, www/apache24, ...)

  • you can check the OpenSSL lib used by apache24 (in fact the apache24 mod_ssl module):

    # ldd /usr/local/libexec/apache24/mod_ssl.so |grep ssl 
/usr/local/libexec/apache24/mod_ssl.so:
        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x801634000)

    The apache24 mod_ssl is now using the OpenSSL library from the ports.

Related Topic