You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by srihari na <na...@gmail.com> on 2015/01/21 11:14:43 UTC
[users@httpd] OpenSSL version used by Httpd
Hello Folks,
I have a question it may be naive but please excuse.
We have 2 versions of openssl
[root@10 ~]# openssl version (preinstalled in OS)
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@10 ~]# which openssl
/usr/bin/openssl
[root@10 ~]# /usr/local/ssl/bin/openssl version (We compiled this version)
OpenSSL 1.0.1h 5 Jun 2014
While installing we specify --with-ssl attribute
host.ssh("cd /var/lib/httpd-2.2.25; \
./configure \
--prefix=/etc/httpd \
--exec-prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--mandir=/usr/share/man \
--libdir=/usr/lib \
--sysconfdir=/etc/httpd/conf \
--includedir=/usr/local/include/httpd \
--libexecdir=/etc/httpd/modules \
--datadir=/var/www \
--with-mpm=prefork \
--with-devrandom \
--enable-mods-shared=all \
--enable-cache \
--enable-disk-cache \
--enable-file-cache \
--enable-mem-cache \
--enable-proxy \
--enable-ssl \
--with-ssl=/usr/local/ssl; \
make; make install")
However from external/client side how can I verify which is the exact
version of openssl libraries being used during communication. Please help.
--
Regards,
Srihari NA
Re: [users@httpd] OpenSSL version used by Httpd
Posted by Rodrigo Cunha <ro...@gmail.com>.
Logs in syslog or configfile or use :
history |grep -i ./configure in your system.
bur which dpkg -l |grep -i openssl your system display openssl instaled in
your system from dpkg files.
OR, see my troubleshooting for this question:
Troubleshooting in my Virtual Box in local Laboratory:
Example in my system, instaled from apt-get install
I search in /etc/http for strings "openssl" wich comand bellow:
$grep --color ssl * -R
this output many lines content ssl..., but in the displayed line bellow
betwen many informations your found:
mods-available/ssl.load:LoadModule ssl_module
/usr/lib/apache2/modules/mod_ssl.so
I have use the command native in linux ldd for read extencions files .so
You use:
ldd /usr/lib/apache2/modules/mod_ssl.so
example in my output:
root@LAMP:/etc/apache2# ldd /usr/lib/apache2/modules/mod_ssl.so
linux-gate.so.1 => (0xb77cf000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7752000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb75fa000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb75e0000)
libc.so.6 => /lib/libc.so.6 (0xb749b000)
libdl.so.2 => /lib/libdl.so.2 (0xb7497000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7483000)
/lib/ld-linux.so.2 (0xb77d0000)
The http apache dont use the all packages from openssl package.
in the packages from string libssl.so.0.9.8 your have this reference for
your openssl, show my openssl bellow:
root@LAMP:~# openssl version
OpenSSL 0.9.8o 01 Jun 2010
root@LAMP:~#
The string version 0.9.8o is reference to the others strings versions
concatened 0.9.8 in libssl.so.0.9.8
libssl.so.0.9.8 is lib that OpenSSL 0.9.8o
But it is hard work and is not recomended, call for your boss about this
problems to be documentations.
2015-01-22 5:23 GMT-02:00 Oscar Knorn <os...@uni-duisburg-essen.de>:
> Is there a way to specify/modify the order of locations in the path of
> where to look for the libraries in compile/run time?
> Might help.
>
> Oscar
>
>
> Am 21.01.2015 um 11:46 schrieb srihari na:
>
> Hey
>
> Thank you very much for quick reply, I did modify ServerTokens from OS
> to Full and did restart apache. However I tried to hit my server I do not
> see server header added. Is there any other precondition that I need to
> take care of I am using Apache HTTPD 2.2.25.
>
> [root@10 conf]# curl --head https://localhost:443/login -k
> HTTP/1.1 200 OK
> Date: Wed, 21 Jan 2015 10:43:42 GMT
> Set-Cookie:
> JSESSIONID=521BFADA9009F72C4ED9BF6D5CA63899.7001stagingcld-tomcat9; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache
> Pragma: no-cache
> Expires: Wed, 31 Dec 1969 23:59:59 GMT
> Content-Type: text/html;charset=UTF-8
> Content-Language: en-US
> Content-Length: 5967
>
> [root@10 conf]#
>
> On Wed, Jan 21, 2015 at 3:55 PM, Pete Houston <ph...@openstrike.co.uk>
> wrote:
>
>> On Wed, Jan 21, 2015 at 03:44:43PM +0530, srihari na wrote:
>> > However from external/client side how can I verify which is the exact
>> > version of openssl libraries being used during communication. Please
>> help.
>>
>> In your httpd.conf specify
>>
>> ServerTokens Full
>>
>> Then from the client side you can inspect the headers for the OpenSSL
>> version. eg: http://httpd.apache.org/ currently reports:
>>
>> Server: Apache/2.4.11 (Unix) OpenSSL/1.0.1l
>>
>> See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
>> You might consider this as information leakage so may not wish to leave
>> it permanently enabled.
>>
>> Pete
>> --
>> Openstrike - improving business through open source
>> http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
>>
>
>
>
> --
> Regards,
> Srihari NA
>
>
>
--
Atenciosamente,
Rodrigo da Silva Cunha
Re: [users@httpd] OpenSSL version used by Httpd
Posted by Oscar Knorn <os...@uni-duisburg-essen.de>.
Is there a way to specify/modify the order of locations in the path of
where to look for the libraries in compile/run time?
Might help.
Oscar
Am 21.01.2015 um 11:46 schrieb srihari na:
> Hey
>
> Thank you very much for quick reply, I did modify ServerTokens from OS
> to Full and did restart apache. However I tried to hit my server I do
> not see server header added. Is there any other precondition that I
> need to take care of I am using Apache HTTPD 2.2.25.
>
> [root@10 conf]# curl --head https://localhost:443/login -k
> HTTP/1.1 200 OK
> Date: Wed, 21 Jan 2015 10:43:42 GMT
> Set-Cookie:
> JSESSIONID=521BFADA9009F72C4ED9BF6D5CA63899.7001stagingcld-tomcat9;
> Path=/; Secure; HttpOnly
> Cache-Control: no-cache
> Pragma: no-cache
> Expires: Wed, 31 Dec 1969 23:59:59 GMT
> Content-Type: text/html;charset=UTF-8
> Content-Language: en-US
> Content-Length: 5967
>
> [root@10 conf]#
>
> On Wed, Jan 21, 2015 at 3:55 PM, Pete Houston <ph1@openstrike.co.uk
> <ma...@openstrike.co.uk>> wrote:
>
> On Wed, Jan 21, 2015 at 03:44:43PM +0530, srihari na wrote:
> > However from external/client side how can I verify which is the
> exact
> > version of openssl libraries being used during communication.
> Please help.
>
> In your httpd.conf specify
>
> ServerTokens Full
>
> Then from the client side you can inspect the headers for the OpenSSL
> version. eg: http://httpd.apache.org/ currently reports:
>
> Server: Apache/2.4.11 (Unix) OpenSSL/1.0.1l
>
> See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
> You might consider this as information leakage so may not wish to
> leave
> it permanently enabled.
>
> Pete
> --
> Openstrike - improving business through open source
> http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
>
>
>
>
> --
> Regards,
> Srihari NA
Re: [users@httpd] OpenSSL version used by Httpd
Posted by Pete Houston <ph...@openstrike.co.uk>.
The Server response header is always present by default. Therefore there
must be something which has been changed in your configuration to remove
it. You will need to find that and fix it.
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Re: [users@httpd] OpenSSL version used by Httpd
Posted by srihari na <na...@gmail.com>.
Hey
Thank you very much for quick reply, I did modify ServerTokens from OS to
Full and did restart apache. However I tried to hit my server I do not see
server header added. Is there any other precondition that I need to take
care of I am using Apache HTTPD 2.2.25.
[root@10 conf]# curl --head https://localhost:443/login -k
HTTP/1.1 200 OK
Date: Wed, 21 Jan 2015 10:43:42 GMT
Set-Cookie:
JSESSIONID=521BFADA9009F72C4ED9BF6D5CA63899.7001stagingcld-tomcat9; Path=/;
Secure; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 5967
[root@10 conf]#
On Wed, Jan 21, 2015 at 3:55 PM, Pete Houston <ph...@openstrike.co.uk> wrote:
> On Wed, Jan 21, 2015 at 03:44:43PM +0530, srihari na wrote:
> > However from external/client side how can I verify which is the exact
> > version of openssl libraries being used during communication. Please
> help.
>
> In your httpd.conf specify
>
> ServerTokens Full
>
> Then from the client side you can inspect the headers for the OpenSSL
> version. eg: http://httpd.apache.org/ currently reports:
>
> Server: Apache/2.4.11 (Unix) OpenSSL/1.0.1l
>
> See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
> You might consider this as information leakage so may not wish to leave
> it permanently enabled.
>
> Pete
> --
> Openstrike - improving business through open source
> http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
>
--
Regards,
Srihari NA
Re: [users@httpd] OpenSSL version used by Httpd
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Wed, Jan 21, 2015 at 03:44:43PM +0530, srihari na wrote:
> However from external/client side how can I verify which is the exact
> version of openssl libraries being used during communication. Please help.
In your httpd.conf specify
ServerTokens Full
Then from the client side you can inspect the headers for the OpenSSL
version. eg: http://httpd.apache.org/ currently reports:
Server: Apache/2.4.11 (Unix) OpenSSL/1.0.1l
See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
You might consider this as information leakage so may not wish to leave
it permanently enabled.
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107