If you've simply over-written the rpm-provided files you may have... some pain later on; at the very least it's misleading for anyone who looks at the system.
In your position I'd do one of two things:
1/ Download the srpm for Centos, do an rpm -i openssl-whatever.srpm
Edit the /usr/src/redhat/SPEC/openssl.spec file to update the version and source file to the version of openssl you want to build.
Do an rpmbuild -ba /usr/src/redhat/SPEC/openssl.spec to build a newer version of the RPM. If all goes well you'll end up with some shiny new RPMs in /usr/src/redhat/RPMS/$arch and you can just drop them in.
or
2/ Nab the openssl srpm from a newer release (such as Fedora 12), and do an rpmbuild --rebuild openssl-whatever.srpm
Again, all going well you'll get some RPMs, although this is probably less reliable (in the sense that the ABI and dependencies may have changed from RHEL 5 to Fedora 12, for example).
Based on the date displayed by your version of OpenSSL, it seems you are seeing the full version displayed there.
Open SSL 1.0.1 was released on March 14th, 2012. 1.0.1a was released on April 19th of 2012.
So, I'm going to go ahead and assert that openssl version -a
is the proper, cross-distro way to display the full version of OpenSSL that's installed on the system. It seems to work for all the Linux distros I have access to, and is the method suggested in the help.ubuntu.com OpenSSL documentation, as well. Ubuntu LTS 12.04 shipped with vanilla OpenSSL v1.0.1, which is the version that looks like an abbreviated version, on account of not having a letter following it.
Having said that, it appears that there is a major bug in Ubuntu (or how they package OpenSSL), in that openssl version -a
continues to return the original 1.0.1 version from March 14, 2012, regardless of whether or not OpenSSL has been upgraded to any of the newer versions. And, as with most things when it rains, it pours.
Ubuntu is not the only major distro in the habit of backporting updates into OpenSSL (or other packages), rater than relying on the upstream updates and version numbering that everyone recognizes. In the case of OpenSSL, where the letter version numbers represent only bug fix and security updates, this seems nearly incomprehensible, but I have been informed that this may be because of the FIPS-validated plugin major Linux distros ship packaged with OpenSSL. Because of requirements around revalidation that trigger due to any change, even changes that plug security holes, it is version-locked.
For example, on Debian, the fixed version displays a version number of 1.0.1e-2+deb7u5
instead of the upstream version of 1.0.1g
.
As a result, at this time, there is no reliable, portable way to check SSL versions across Linux distributions, because they all use their own backported patches and updates with different version numbering schemes. You will have to look up the fixed version number for each different distribution of Linux you run, and check the installed OpenSSL version against that distribution's specific version numbering to determine if your servers are running a vulnerable version or not.
Best Answer
HaProxy dynamically links in the openssl libraries. You can find this by running
So when you upgrade openssl you just need to restart haproxy.