I'm trying to recreate the heartbleed attack on a localhost apache server. I'm running xampp 1.8.3-2 on my ubuntu, and I want to degrade my OpenSSL version from 1.0.1e to 1.0.1b. I found out some info on the net on how to do this on windows, but nothing about linux - only how to update obviously. What are the files I need to replace, and where can I find the files for 1.0.1b?
Thanks In advance!
Related
I want to setup SSL certificate on tomcat, specification of my server:
OS: ubuntu 18.04 LTS
tomcat: 9.0.31
java: 1.8.0_242
I have these files:
xyz.key
xyz.ca-bundle
xyz.crt
I want to run tomcat on port 443 although I Know I can change port by using server.xml file.
By using the above files I can easily setup ssl in apache, But my question is which type of file format I should have in order to setup ssl in tomcat server and if I need some other format then how should I convert these files ?
Question is pretty unclear, but I assume what you're trying to do is run Tomcat standalone, not with Apache Httpd as a proxy. In that case, the easiest and best thing to do is to upgrade to a modern version of Java. Java 9 and later support PKCS12, which is easier than using JKS, so you should upgrade, either to 11 (the current LTS release) or 14 (current release).
Once that is done, you can use this tool to generate a CSR and save a key and help set up your configuration. It might be easier than doing this by editing files.
I am using Mamp Pro 5 and last week I can set up and using SSL by generated a self-signed certificate.
But today when I am trying to start server again, it is doesn't work anymore. I checked on log files and it said : [Sat Oct 12 13:36:58 2019] [error] (1)Operation not permitted: Init: Can't open server certificate file (path to file)/uf.o.crt
Please let me know how to fix this.
Thanks
This is a screenshot of error log.
Move the SSL certificates into the default MAMP certificates folder:
/Applications/MAMP/Library/OpenSSL/certs/
I have experienced the same problem after upgrading MacOS 10.15 Catalina to build 19A602 (security updates from yesterday). I used to store self created SSL Certs in my user folder and apache could not be started any more.
After moving all .crt and .key files into the folder where MAMP itself stores it's automatically generated certificates (which is /Applications/MAMP/Library/OpenSSL/certs) the problem was gone.
Of course you will have to check every single host and re-link certificate files (marked with a red exclamation mark) to make it work - but no need to completely uninstall MAMP
Usually this problem appears after upgrading MacOS.
Disable Apache
Disable SSL in MAMP
Start Apache
Disable Apache
Enable SSL in MAMP and generate new SSL certificate
Start Apache
It works for me :)
I just solved it by myself and I also got this solutions from developers after I solved it.
What I did is just full uninstall Mamp and try to install it again.
That's all fixed.
I had similar issue and solved this by moving my all projects under my home folder. SSL certificates were regenerated (I use MAMP Pro and prefer to keep ssl certs under my projects for development purpose)
With MAMP PRO 6, certificates are managed by MAMP. I had a problem with a certificate that was expired. I simply deleted the host and recreated the host afterwards. MAMP has generated new certificates and everything is ok.
I am trying to enable TLS 1.1 on my xampp apache server, but it seems like the version of OpenSSL is too old for that. (Error: SSLProtocol: Illegal protocol 'TLSv1.1')
Can anyone help me how I can upgrade OpenSSL? or something easier approach? I need to keep PHP version as 5.3.1.
My configuration is Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1.
Thank you so much!
Download the 1.0.2k zip file from this site.
https://indy.fulgan.com/SSL/
Extract the files.
Stop the Apache service.
Make a backup of these 3 files in C:\xampp\apache\bin
ssleay32.dll
libeay32.dll
openssl.exe
Copy the same 3 files from the extract files location to C:\xampp\apache\bin
Start the Apache service.
I am using apache2 server runing on a Ubuntu Server 12.04 LTS.
In my apache2 conf file there is a host that looks like this.
IfModule mod_ssl.c>
VirtualHost *:443>
//Every configuration for the virtual host working fine.
/VirtualHost>
/IfModule>
I avoid using the "minor" sign since SO does not display the line containing it.
I cannot read "OpenSSL" anywhere. So my intuition says that I am not using it at all. So I should not worry about Heart bleed open SSL bug.
Am I right?
Thanks in advance.
From the command prompt do:
openssl version
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Your config is using mod_ssl. Mod SSL is OpenSSL built for Apache.
If your server is public facing you can try something like this tool. http://filippo.io/Heartbleed/
I am running a secure site on apache and openssl 1.0.1.
This works fine in the browser, but when I curl the site, I am getting the following error
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
From what I can find, this is some incompatibility between openssl 0.9.8 on the client, and 1.0.1 on the server.
Is there maybe some server-side configuration in mod_ssl to prevent this error, or would I be best to downgrade to 0.9.8, and if the latter, any advice for doing so on Ubuntu? For example, if I apt-get remove and apt-get install, do I need to reinstall / restart apache for the changes to take effect?
Thanks,
This is an old question, but since it is still unanswered:
This is a bug in OpenSSL 0.9.8, but can be fixed (or overridden) in Apache. See https://stackoverflow.com/a/8058839 for a fix. Note that the ServerName directive should be identical to the name used by the client (e.g., "localhost" will not work).