Upgrading OpenSSL 0.9.7e-p1 to 0.9.8i: What precautions should I take prior to upgrade? What are the procedures to upgrade?

Posted on 2008-11-17
Medium Priority
Last Modified: 2013-11-22

    I have recently been assigned the job of upgrading OpenSSL0.9.7e-p1 to 0.9.8i on our FreeBSD 5.5 server. Apache 2.2.3 is currently running as well as Perl 5.8.8 with mod_perl2 2.000003. It looks as though the keys are self-assigned. Openssh version: OpenSSH_3.8.1p1 FreeBSD-20060123

    What precautions are needed prior to upgrading OpenSSL?

    Does Apache 2.2.3 need to be upgraded as well?

    Does mod_perl have to be upgraded as well?

    What commands do I need to perform to upgrade OpenSSL?

    Thank you in advance.
Question by:supercell29
  • 4
  • 3
LVL 62

Expert Comment

ID: 22984967
1) upgrade sources using csup (Which is not present in outdated 5.x and you should install cvsup)
supfile could look like this:
*default host=cvsup.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs delete use-rel-suffix compress
*default tag=RELENG_5

ports-all tag=RLEASE_5_EOL

2) after you are done:
pkg_add -r portupgrade
portupgrade -r portupgrade
portupgrade -Rf openssl  

You can install openssl from ports and it will be of 0.9.8 series. Basically 0.9.7->0.9.8 update requires everything depending on it to be rebuilt
Given EOL status of 5.x let me suggest updating (via clean reinstall) to 7.x. Once you get to 7.x or 6.x replace ports-all tag=. to get latest ports. Otherwise they will contain all the security holes over last year as evident when you install portaudit and run portaudit -Fda

Some more commands for your for experts' entertainment:
pkg_info -R openssl
openssl version
uname -a
http -V
perl -V

Author Comment

ID: 22985148
Well, unfortunately the admin prior did not use ports! Not sure why, but he didn't.


pkg_info -R openssl :  pkg_info: can't find package 'openssl' installed or in a file!

openssl version : OpenSSL 0.9.7e-p1 25 Oct 2004

uname -a : FreeBSD (fqdn) 5.5-RELEASE FreeBSD 5.5-RELEASE #0: Tue Dec 19 11:54:59 CST 2006    email @ fqdn :/usr/src/sys/i386/compile/ZXYNG01  i386

http -V : http: Command not found.

perl -V : (see attachment)

There is a lot running on this server presently: 40G MySQL database, RT ticketing, mrtg, PHP MyAdmin and NO ports! Sounds as though this won't be a very easy process! :(

LVL 62

Expert Comment

ID: 22986113
Actually then it does not matter if you install some sort of Linux with all used packages included or install fresh FreeBSD.

1) thats normal
2) system's default openssl, replacing that will break ssh and leave you out for good.
3) -RELEASE means: never patched sources.
4) my misspelling - httpd -V
5) Thanks, normal perl without exotic wonders.

If you can afford 3-4 hours of downtime and somebody to look over your shoulder (like Windows admin) reinstall is easy:
0) choose system: ubuntu server or opensuse or mandriva or freebsd
1) create some tar backup of unique data.
2) use g4u to transfer disk image to FTP server
3) Install recent OS in minimalistic configuration
4) Install packages you know and restore data from copies (1)
5) if (4) fails - use loop mount over NFS or SMB and copy files over from old system
6) If hopeless after planned time - restore (2)

Or alternatively bring apps one by one to new server with maintainable OS...

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 22989648
So g4u "ghosts" any OS including FreeBSD?

httpd -V gives the same result:

httpd -V httpd: Command not found.

I will have to test g4u on a test server before trying this on a live ticketing system.

LVL 62

Expert Comment

ID: 22992850
You have to test your FTP server with files >4GB

I just wanted to know if apache is "worker" or "prefork" type

Author Comment

ID: 22994656
Is there any other way of checking this?

I will check my FTP for files >4GB.

Thank you.
LVL 62

Accepted Solution

gheist earned 2000 total points
ID: 22995359
To check apache you have to look at its startup scripts, at ps auxww, locate httpd, locate error.log and so on.

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question