Do to security vulnerabilities with OpenSSL, I've had to recompile Apache
2.4.12 with OpenSSL version 1.0.1.m.
The team that controls the web servers doesn't want me to install into the same
installation directory, but rather into a separate directory. They then copy
config files and whatever they need into the new installation and then start
Apache from there.
I compiled from source on a separate server, then created a tarball which I
dropped onto the actual web servers.
The first time that I did this, I did a "curl --head http://localhost"; to
verify the OpenSSL version. I got back that the OpenSSL version was still
1.0.1j. So, I recompiled, verified on the server that I used to compile on and
verified that OpenSSL 1.0.1m was what was compiled into Apache. I then
tarballed everything up, copied it over to the web servers, dropped into place
and turned over to the internet team. I was just informed that OpenSSL is
still pointed to 1.0.1j.
The only thing that I can think of is that the internet team must have
something in a config file somewhere that is actually calling OpenSSL 1.0.1j.
Can that be possible? Other than doing a "curl --head http://localhost";, how
can I tell what version of OpenSSL is being used?
Thanks
Daryl
