Hello
I'm relatively new to technologies like Apache & ssl but have some years
experience with Unix. My question concerns the version of OpenSSL which is
genuinely being used on our server & how is that set.
The server is running Solaris 10. I'll show output from various commands:
:/usr/local/ssl # pkginfo -l SMCossl
PKGINST: SMCossl
NAME: openssl
CATEGORY: application
ARCH: sparc
VERSION: 1.0.1c
BASEDIR: /usr/local
VENDOR: The OpenSSL Group
PSTAMP: Steve Christensen
INSTDATE: Aug 17 2012 07:27
EMAIL: steve@smc.vnet.net
STATUS: completely installed
FILES: 1871 installed pathnames
1 shared pathnames
43 directories
32 executables
30745 blocks used (approx)
:/usr/local/ssl #
:/usr/local/ssl # openssl version -a
OpenSSL 1.0.1c 10 May 2012
built on: Sun May 13 18:44:13 EDT 2012
platform: solaris-sparcv9-gcc
options: bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -
DDSO_DLFCN -DHAVE_DLFCN_H -m32 -mcpu=ultrasparc -O3 -fomit-frame-
pointer -Wall -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT -DSHA1
_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"
:/usr/local/ssl #
But if I run telnet xxx.xxx.xxx.xxx 80 & OPTIONS / HTTP1.0 from our network it reports 0.9.8x:
HTTP/1.1 200 OK
Date: Tue, 19 Feb 2013 10:20:37 GMT
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8x DAV/2
Allow: POST,OPTIONS,GET,HEAD
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
Connection to host lost.
W:\>
I've been advised to use OPTIONS / HTTP1.0 to determine which version is genuinely being used.
We have in the past installed SSL by package (the most recent being 1.0.1) & source (presumably the most recent being 0.9.8x).
I need to upgrade SSL on this server & I would like to use the 1.0.1 stream (I understand packages are more likely to be available for this & that's certainly easier to install). But I can't figure out why the system is really using 0.9.8x when the server itself is saying that 1.0.1 is being used.
I am assuming that the OPTIONS / HTTP1.0 command is giving me the true version.
Can anyone clarify what might be happening & advise how I can start using 1.0.1?
Thanks, Chris