Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Hi guys,
Sorry if I end up doing this wrong (don't tend to post to lists often),
thread-wise, but I ran into the same issue where it seemed that despite
upgrading OpenSSL to the patched version, my Apache server was still
vulnerable to Heartbleed.
Just curious - are you running Google's mod_spdy? If so, that was the
culprit for me - check:
/etc/apache2/mods-enabled/ssl.load
They overrode mod_ssl like so:
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl_with_npn.so
I just decided to uninstall the package entirely to revert to
/usr/lib/apache2/modules/mod_ssl.so and that fixed it.
There may be other plugins that do this, so I'd recommend anyone running
into this double-check what modules Apache is *actually* set to load.
Hope this helps. :)
- Gary Carter
Reply to: