Re: OpenSSL Heartbleed bug, Apache still vulnerable?

To: debian-user@lists.debian.org
Subject: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
From: Gary Carter <kithop@kithop.ca>
Date: Tue, 08 Apr 2014 12:19:10 -0700
Message-id: <[🔎] 53444BAE.30505@kithop.ca>

Hi guys,

Sorry if I end up doing this wrong (don't tend to post to lists often),
thread-wise, but I ran into the same issue where it seemed that despite
upgrading OpenSSL to the patched version, my Apache server was still
vulnerable to Heartbleed.

Just curious - are you running Google's mod_spdy?  If so, that was the
culprit for me - check:

/etc/apache2/mods-enabled/ssl.load

They overrode mod_ssl like so:

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl_with_npn.so

I just decided to uninstall the package entirely to revert to
/usr/lib/apache2/modules/mod_ssl.so and that fixed it.

There may be other plugins that do this, so I'd recommend anyone running
into this double-check what modules Apache is *actually* set to load.

Hope this helps. :)

 - Gary Carter

Reply to:

Follow-Ups:
- Re: OpenSSL Heartbleed bug, Apache still vulnerable?
  - From: Jochen Spieker <ml@well-adjusted.de>

Prev by Date: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Next by Date: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Previous by thread: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Next by thread: Re: OpenSSL Heartbleed bug, Apache still vulnerable?
Index(es):
- Date
- Thread