Pages

[Johan]

Hello

Preface: Im currently running Windows 2003 Server, Apache 2.2.19, OpenSSL 0.9.8r, PHP 5.3.3, a little known, and now (pretty much dead//unsupported) CGI language called iHTML, and about 10-20k lines of code written in iHTML.

My SSL certificate was coming up for renewal, so I purchased a new cert from DigiCert.

Everything appeared to be ok, until I followed their advice to test my server with ssllabs.com. My server got an "F"
This sucked me into another black hole of time, in order to attempt to get my server updated/more secure.
Note: Im an applications programmer, not an IT guy, although I own my own biz, so Im forced to occasionally put on my IT hat.

Googling "Upgrade OpenSSL" lead me to a site called shininglightpro.com. I spent many hours yesterday futzing with the the OpenSSL 1.0.2a from that site, on a live server.

After I got it all installed (without ANY instructions from that site, just an "installer exe" which didnt have much useful feedback about what the heck it was doing) was Apache finally started.
I thought "ok! Im done!"..

UNTIL I realized Apache was crashing, and my phone started to ring from customers calling me to tell me their site was down, so I reverted back to my old version of OpenSSL.

I went to a meeting, and along the way, I got to thinking.. maybe my Apache is too old for this OpenSSL version?!

After more hours of Googling "upgrade Apache" late last night, I wound up on this site..

I downloaded Apache 2.4.12 VC9, and proceeded to modify it's httpd.conf file by copying from the old conf file (this time, Im working on a secondary server, so Im not messing with a live server, which I HATE to do).

Ive gotten past most of the incompatibilities/changes with some of the commands in the conf file, and then I hit another brick wall.

And that is, iHTML.DLL doesnt seem to want to load with this version of Apache?! (sigh). More Googling lead me to suspect my iHTML.DLL will not work with Apache 2.4.x.

It seems the highest version of Apache I MIGHT be able to install will be 2.2.29 VC9, and still be able to load iHTML (which is a MUST).

More confusion:

In the section under Apache 2.2.29 (VC9) it says:
"with OpenSSL 1.0.1m, Zlib 1.2.8 (mod_deflate), APR 1.5.1, APR-Util 1.5.4. IPv6 and TLS SNI enabled", which leads me to suspect I might be able to get OpenSSL as high as 1.0.1m.

EXCEPT in the description further down the page, it says, under "OpenSSL 1.0.1m Update for Apache 2.2.29" the following:
OpenSSL 1.0.1m update for x86 version of Apache 2.2.29 before -r4

The file name for Apache 2.2.29 (VC9) is "httpd-2.2.29-x86-r4.zip" (Note: it says "-r4" in the file name).

This appears to be contradictory to me? You have a version of Apache that says it comes with OpenSSL 1.0.1m, and yet the ONLY OpenSSL 1.0.1m on this site says it doesnt work with the ONLY available version of Apache 2.2.29?!

Can someone PLEASE enlighten me, so I can get this situation resolved, and get back to working on billable coding hours?

Best regards
Johan

[Gregg]

Hi Johan,

I do not see where the confusion is, the OpenSSL upgrade is for downloads named up to -r3. -r4 already contains OpenSSL 1.0.1m which the ones up to and including -r3 do not. They have earlier versions.

Yes, iHTML will probably not work with 2.4, not unless there is a newer version of it built for 2.4.

As for the shininglightpro.com OpenSSLs, the problem is they are just the OpenSSL, since mod_ssl in Apache has to link to the openssl libraries, they have to match. You had 0.9.8r, you may have been able to get away with 0.9.8zf, but not 1.0.0 - 1.0.2.

You should be good with the 2.2.29 -r4 package, and get a good score over at the SSLLabs test. I see you had PHP, if you load it into Apache like a module (php5apache2_2.dll), You will be fighting the a similar problem with openssl since 5.4 is linked to 0.9.8 as well. There are other options to allow you to maintain openssl 1.0.1m on Apache. It's called mod_fcgid, we have it here, and it allows you to run php as a fastcgi process instead of loading the module. Doing this there is no need to match OpenSSL versions.

Anyhow, see Mario's blog about OpenSSL and getting a good score over at ssllabs.
https://mariobrandt.de/archives/apache/current-2013-bullet-proof-ssl-config-779