Does OpenSSL need to be updated?

[TogaDave]

In my WHM there are "lock" icons next to everything except OpenSSL in my Apache Security/Version Table.

It says my installed version of OpenSSL is 0.9.6b

Do I need to update this, and if so, how?

Thanks very much!
Dave

[TogaDave]

Thanks again for the fast reply!

Unfortunately, I'm scared to update Apache through WHM. Every time I have ever used the "Update Apache" link withint WHM instead of using /scripts/easyapache from SSH, it has wreaked havoc on my server and I end up with downtime.

Can this be done another way, or do I have to use the Update Apache link from within WHM?

Thanks very much!

[Sinewy]

I don't think easyapache/buildapache updates OpenSSL. to manually do it:

wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz
tar zxf openssl-0.9.7d.tar.gz
cd openssl-0.9.7d
./configure --prefix=/usr
make
make test
make install
./configure
make
make test
make install

reason im saying to do it twice is because some things look in /usr/ssl and some look in /usr/local/ssl

[Sinewy]

Easyapache doesn't do it. sysup does or rpmup. i cant remember which one does it.

[isputra]

I don't think easyapache/buildapache updates OpenSSL. to manually do it:

wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz
tar zxf openssl-0.9.7d.tar.gz
cd openssl-0.9.7d
./configure --prefix=/usr
make
make test
make install
./configure
make
make test
make install

reason im saying to do it twice is because some things look in /usr/ssl and some look in /usr/local/ssl

After i do your howto my https did not work anymore. When i check in on shell give me : OpenSSL 0.9.6m [engine] 17 Mar 2004

But when i check on WHM i have openssl-0.9.7d and my rkhunter show me :
- OpenSSL 0.9.6m [ OK ]
- OpenSSL 0.9.7d [ OK ]

How to get https work ? Or maybe how to uninstall openssl-0.9.7d and work with OpenSSL 0.9.6m again ?

[anup123]

After i do your howto my https did not work anymore. When i check in on shell give me : OpenSSL 0.9.6m [engine] 17 Mar 2004

But when i check on WHM i have openssl-0.9.7d and my rkhunter show me :
- OpenSSL 0.9.6m [ OK ]
- OpenSSL 0.9.7d [ OK ]

How to get https work ? Or maybe how to uninstall openssl-0.9.7d and work with OpenSSL 0.9.6m again ?

Have you tried it from RPM Package Installer in WHM?

Anup

[chirpy]

That is why you shouldn't update things as important from source if you're already using an rpm based update system under an OS such as RHE - and don't let anyone tell you otherwise.

I would suggest that you download the latest rpm for your distro and rpm install it using --force to get it back to how it should be.

Knowng which OS and version you are running would help in helping you fix it.

[isputra]

OK, now https works but i have another problem.

When i go to https my windows shows up about SSL information so i click "yes" to see my website under https and my browser only show "The page cannot be displayed"

I check on my httpd.conf and here is the info :

<IfDefine SSL>
##
## SSL Virtual Host Context
##
NameVirtualHost xx.xx.xx.xx:443

<VirtualHost xx.xx.xx.xx:443>
ServerAdmin webmaster@mydomain.com
DocumentRoot /home/mydomain/public_html
BytesLog domlogs/mydomain.com-bytes_log
ServerName www.mydomain.com
CustomLog /usr/local/apache/domlogs/mydomain.com-ssl_log "%t %{version}c %{cipher}c %{clientcert}c"
User mydomain
Group mydomain
SSLEngine on
SSLEnable
SSLCertificateFile /usr/local/apache/conf/ssl.key/mydomain.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/mydomain.com.key
SSLLogFile /var/log/mydomain.com
ServerAlias mydomain.com www.mydomain.com
ScriptAlias /cgi-bin/ /home/mydomain/public_html/cgi-bin/
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
</IfDefine>

If i go to http://www.mydomain.com my website show normal but if i use https i can't see my website. I think this is not about SSL problem because when Security Alert appear and i click View Certificate all information about certificate is right.

Please any advise to fix this ?

[DigiCrime]

Unless your using Redhat 9 or higher, I wouldnt suggest updating it unless you need to. It breaks some other SSL stuff Like CurlSSL I know I tried several times and havent found a way around it on 7.3 and lower.

When you do it manually, you need to rebuild apache afterwards just leave openssl out

My config

wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz;tar zxf openssl*;/cd openssl*;./config --prefix=/usr --openssldir=/usr/include/openssl

make test to see if it errors out any and then fish the rest of the make install, recompile apache afterwards and youll have it updated in WHM as well

isputra,

If you have a window poping up to ask yes/no verify cert then its not correct unless its a shared cert.

[isputra]

Unless your using Redhat 9 or higher, I wouldnt suggest updating it unless you need to. It breaks some other SSL stuff Like CurlSSL I know I tried several times and havent found a way around it on 7.3 and lower.

I use RH 9 and WHM 9.7.2 cPanel 9.7.7-R15.

I already install easyapache again without OpenSSL and SSL Support.
Now what should i do ?

Can i do like yours above :

wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz;tar zxf openssl*;/cd openssl*;./config --prefix=/usr --openssldir=/usr/include/openssl

make test
make install

/scripts easyapache (if i do easyapache should i leave SSL Support and OpenSSL again or i must install it too on easyapache option ?)

[isputra]

My problem solved

Thank you all for your help