There used to be a nice HOW-TO here but aussie is correct. However since I upgraded to Apache 1.3.28 before writing this, I won't have the problems below until a new Apache version is released. I didn't take cPanel's Apache attachment into much consideration as I am mainly a security administrator and I myself am not used to these integrated control panels such as cPanel, Ensim, etc.

OpenSSH has no attachments to cPanel.

Hi..

great thread...

i have two questions please :

1 - did any body try this on Dual Xeon ?

2 - can i make the apache build form WHM insted of command line ?

thanx.

This isn't kernel or hardware related. Dual Xeon or Quad AMD, no difference. I highly suggest you stick to the command-line during this operation.

The problem is that these are not RPMs.

That's not a problem if you follow the above.

root@svr01 [~]# openssl version
OpenSSL 0.9.6j [engine] 10 Apr 2003

Nice one Richard, worked like a treat, thanks a lot for that one

Taz.

Not a problem.

You mentioned this is for cPanel, but shouldn't this also be for ENSIM or whatever your using? I have a 7.3 ENSIM box and it shows OpenSSL 0.9.6b [engine] 9 Jul 2001, but I don't see an ENSIM how-to.

Edit: does an ENSIM box use the same SSL or does it use another type?

AFAIK, Ensim uses OpenSSL also. I don't know how Ensim handles the rebuilding of Apache and respectful packages. You might end up sticking one of those nasty mile-long ./configure lines to properly upgrade (manual recompile).

just wonder if later Cpanel release update on their release, how effect it will be?

This does the same thing cvsup, cpanel update, or an RPM would do; it update the package. Plain and simple.

Richard, as you know many people are having a problem with upgrading Apache from 1.3.27 -> 1.3.28. One user claims Cpanel reinstalled the old verson of OpenSSL on his box and Apache recompiled without a problem. What are you thoughts on this please. See http://forums.rackshack.net/showthread.php...1782#post181782

I would really like to know if this is the cause of all the Apache upgrade problems on our boxes.

On a default cPanel box, we have /usr/local/src/openssl-0.9.7b/ as the main path for OpenSSL. On the upgrade, /usr/src/openssl-0.9.6j

Now, I did all this after the 1.3.28 upgrade. I suggest moving /usr/local/src/openssl-0.9.7b/ to openssl-0.9.7b.old and then doing ln -s /usr/src/openssl-0.9.6j/ /usr/local/src/openssl-0.9.7b/ to see if that aids in the Apache problems. I'm going to guess the easyapache script is gathering from the older path which means with a link to the new directory it should go through flawlessly. If not, a few files may need to be linked to the newer version.

In any case, I'll help with any errors regarding this.

Would it be a safe assumtion to updating Apache to 1.3.28 before updating OpenSSL from 9.6b version...

Will this work on a Dell Dual Xeon server? I updated my servers Kernel last night.

I just do not want to mess up on my server, I have a lot of info on it.

Yes and no. I mean, I did it but it doesn't mean it has to be done. When a version newer than 1.3.28 is released and cpanel tries to update it I'm sure I'll be making those links between the two OpenSSL versions also.

This isn't hardware/kernel-related so it shouldn't matter how many CPUs or which brand they are.

The upgrade issues we were having where Apache wouldnt upgrade to 1.3.28 was a result of OpenSSL version j installed.

http://forum.rackshack.net/showthread.php?...1825#post181825

Thanks for your how to btw!

Hmm still showing version j installed when i type openssl version but the box hopefully just needs a good boot.

Excellent info aussie,.. good to know. so reading from your posts, I think we'll do our Apache upgrade first, then tackle the OpenSSL/OpenSSH versions...

I knew there was a good reason to hold off upgrading...

Thx's abunch of this tip. I'm sure this will save alot of people some major headaches!

Well unless Cpanel decides to include OpenSSL vJ in their release i would be reluctant to install it even after the Apache 1.3.28 for the simple reason that you need to consider future updates. I mean if you install it after the fact and there are other updates will you be back to where you cannot upgrade using easyapache?

And Darren said this.

Hello,

Yes that is what I was going to look at as per a suggestion from the developers, upgrading things like that outside of Cpanel can cause some strange problems like this.

Thanks,
Darren
--

cPanel, Inc.

And Richard your information was very helpful but Im not sure if i would risk the update to OpenSSL after this. I just wish Cpanel would get with program and update or offer a solution to give us the latest of updates instead of lagging way behind on issues that ar of a security nature.

Just to correct any misconceptions people may have.

Although your openSSL (and openSSH) may be old there is no security risk in NOT upgrading. The old versions are secure and are upgraded by cpanel when necessary. If you upgrade openSSL or openSSH then you have basically stepped outside the upgrade path of cpanel. Thus you might get problems recompiling apache etc.

This thread starts off with the words URGENT. Upgrading is not urgent at all - in fact i believe it to be a mistake, leading to future problems. I would advise people to think carefully when reading advise by forum members - it's not always the best advice.

No offence, just my 2 cents.

OpenSSH is not a problem and you can update that freely. OpenSSL on the other hand is a whole different ball game. Its relient on the the upgrade of Apache and checks for the proper version of OpenSSL during the upgrade. When it doesnt find the proper version it does nothing.

Aussie,

would you please update the HOW-TO for

0.9.7d

Thanks

This is a very old thread but after the postings where done here it was concluded that everyone had to uninstall OpenSSL because it prevented easyapache from upgrading to the next Apache version that came out a few weeks after the initial posting here.

So what has changed since? Not much, but if people are doing this OpenSSL upgrade they better be doing it with great care as it may just break your ability to upgrade Apache from one version to another when the next one is available.

I'm seeing various posting of where people are downloading OpenSSL from the OpenSSL website and doing a manual install but I'm not sure if this is a wise thing to do. This is a catch-22 situation. We have cPanel dragging their feet on getting a new version of OpenSSL integrated while there is the possbility that if you dont do a manual upgrade your box could be rooted. And if you do the manual installation you may just BREAK easyapache. Hard to tell really, but nothing has changed since the days we tried to upgrade OpenSSL manually so my final thought on this it could break easyapache.

Do you still feel that way? See advisory!

Has anything changed? I just had The Planet run a Vulnerability Check and it told me to upgrade OpenSSL.

Join the club.

The only thing is that Apache Update does not include a newer version of OpenSSL...

The scanner has been telling me this for about 5 months now and I'm wondering when they're going to start including OpenSSL in the AU.

Good luck. Happy Monday.