How to update mod_ssl using portupgrade

[phantomflash]

Due to PCI DSS security certification, an outside scan of our Apache 2.2 driven web site has said we must update mod_ssl to version 2.8.10 or later. Our current Apache is 2.2.24, and the HTML headers also list mod_ssl as version 2.2.24 (openssl 1.0.1e). The mod_ssl site doesn't list any 2.2.24 version in history, so it's evidently just being matched to the Apache version. I can't find documentation on which version is actually included with Apache 2.2.24.

I'm filling in for the person who originally installed this system, because he's out of the office and we have a deadline. (I'm the one who configured Apache after installation, and I maintain the web site.)

I updated openssl and Apache before last week's scan, using portupgrade, and figured we had the most current version of everything (especially after a preliminary scan we ran came up clean). In fact the latest version listed on the mod_ssl web site (for Apache 2) is 2.8.31, so it would seem that version would work.

I have re-updated Apache and openssl twice just today, and the version numbers are the same. I have tried giving a command for portupgrade to update mod_ssl but it does nothing (that's not listed as a port, but I was trying it anyway).

Without knowing more about how everything works, I am reluctant to try the procedure on the mod_ssl web site, for fear it might conflict in some way with portupgrade's actions, and cause problems. I haven't been able to find articles on the web that give full instructions for doing what I'm trying to do.

I'm not sure if I'm using the correct port name. I've looked on the list of ports and have not found a clear answer. There are a number of Apache module names such as ap22-mod_python-3.3.1_3, but I don't see any containing mod_ssl as part of the name.

Unfortunately I don't know of a way to test if the desired patch is really installed. Our own scan doesn't detect the problem, and we only get one more free outside scan during this certification process, then it starts costing extra money. (The outside scan uses different scanning software so sometimes flags different problems.)

So I need some guidance. Surely this kind of update is something that ought to happen fairly easily, if I can just find the right button to push. I'm not really used to portupgrade so there may be something I'm missing.

 

[kpa]

The SSL module is built if you have the SSL option selected in the options of www/apache22.

make -C /usr/ports/www/apache22 showconfig | grep SSL

The actual use of SSL is done by the devel/apr1 port where you can select if you want to use the base system openssl or the security/openssl port. If you want to use the port you have to specify

WITH_OPENSSL_PORT=yes

in /etc/make.conf. The default is to use openssl from the base system.

 

[ShelLuser]

I'm filling in for the person who originally installed this system, because he's out of the office and we have a deadline. (I'm the one who configured Apache after installation, and I maintain the web site.)

If you're updating OpenSSL support for Apache then you need to update 3 ports: security/openssl, devel/apr1 and finally www/apache22. I recently helped out a few people with this, you can check that post here (in case you're interested in the technical details).

In fact the latest version listed on the mod_ssl web site (for Apache 2) is 2.8.31, so it would seem that version would work.

Not quite.

If you check the mod_ssl website you'll notice that it provides mod_ssl version 2.8.31 for Apache version 1.3.41, there's quite a difference there. You'll even see this mentioned on their About page: "The mod_ssl project provides strong cryptography for the Apache 1.3 webserver".

But ever since the release of Apache version 2 this module became part of the Apache web server itself and therefore no longer has a version of its own. If some outside scan mentions a specific mod_ssl version then I'm tempted to question the validity of said scan. Either that or something is taken out of context.

For example I wouldn't be surprised if the scan didn't cover the version of mod_ssl but instead focussed on the SSL/TLS protocol version instead.

 

[phantomflash]

Thanks to everyone that replied. After I posted, I was looking at the mod_ssl site and saw I had misunderstood the version numbers. When it says the latest version is 2.8.31-1.3.41, I thought that meant it was a dual package - 2.8.31 for Apache 2.x, and 1.3.41 for Apache 1.x. Reading more carefully, I see now what it really means. (I used to update it from this site when I was working with Apache 1.x, but that was a long time ago.) However I expected that if its development was handed over to Apache for the 2.x version, the site would say so.

We have decided that in all probability, the scan message is bogus and that we now have the most current version. For one thing, the Apache headers clearly say

Server: Apache/2.2.24 (FreeBSD) mod_ssl/2.2.24 OpenSSL/1.0.1e

and we know that's the latest version of OpenSSL. We still don't know where the scan is getting that strange mod_ssl version number. It's not the SSL/TLS version -- it also scans for that, and we have gotten a separate message about that in the recent past, which is now fixed.

Thanks especially for the information about devel/apr1. I've been using the -R parameter of portupgrade, which should have taken care of all that, but it's still nice to know. If we find out there is actually a problem, I can try reinstalling devel/apr1 and its dependencies as noted in the other thread you gave.

Again, thanks!