Version of OpenSSL being used

CHoggarth · February 19, 2013, 6:10am

Hello

I'm relatively new to technologies like Apache & ssl but have some years
experience with Unix. My question concerns the version of OpenSSL which is
genuinely being used on our server & how is that set.

The server is running Solaris 10. I'll show output from various commands:

:/usr/local/ssl # pkginfo -l SMCossl
   PKGINST:  SMCossl
      NAME:  openssl
  CATEGORY:  application
      ARCH:  sparc
   VERSION:  1.0.1c
   BASEDIR:  /usr/local
    VENDOR:  The OpenSSL Group
    PSTAMP:  Steve Christensen
  INSTDATE:  Aug 17 2012 07:27
     EMAIL:  steve@smc.vnet.net
    STATUS:  completely installed
     FILES:     1871 installed pathnames
                   1 shared pathnames
                  43 directories
                  32 executables
               30745 blocks used (approx)

:/usr/local/ssl #

:/usr/local/ssl # openssl version -a
OpenSSL 1.0.1c 10 May 2012
built on: Sun May 13 18:44:13 EDT 2012
platform: solaris-sparcv9-gcc
options:  bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -
DDSO_DLFCN -DHAVE_DLFCN_H -m32 -mcpu=ultrasparc -O3 -fomit-frame-
pointer -Wall -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT -DSHA1
_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"
:/usr/local/ssl #

But if I run telnet xxx.xxx.xxx.xxx 80 & OPTIONS / HTTP1.0 from our network it reports 0.9.8x:

HTTP/1.1 200 OK
Date: Tue, 19 Feb 2013 10:20:37 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8x DAV/2
Allow: POST,OPTIONS,GET,HEAD
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html



Connection to host lost.

W:\>

I've been advised to use OPTIONS / HTTP1.0 to determine which version is genuinely being used.

We have in the past installed SSL by package (the most recent being 1.0.1) & source (presumably the most recent being 0.9.8x).

I need to upgrade SSL on this server & I would like to use the 1.0.1 stream (I understand packages are more likely to be available for this & that's certainly easier to install). But I can't figure out why the system is really using 0.9.8x when the server itself is saying that 1.0.1 is being used.

I am assuming that the OPTIONS / HTTP1.0 command is giving me the true version.

Can anyone clarify what might be happening & advise how I can start using 1.0.1?

Thanks, Chris

achenle · February 19, 2013, 6:58am

Where is the Apache binary "httpd"? Who compiled it? What libraries was it linked against when it was compiled? What libraries does it load when running?