Upgrading OpenSSL 0.9.7e-p1 to 0.9.8i: What precautions should I take prior to upgrade? What are the procedures to upgrade?

Posted on 2008-11-17
Last Modified: 2013-11-22

    I have recently been assigned the job of upgrading OpenSSL0.9.7e-p1 to 0.9.8i on our FreeBSD 5.5 server. Apache 2.2.3 is currently running as well as Perl 5.8.8 with mod_perl2 2.000003. It looks as though the keys are self-assigned. Openssh version: OpenSSH_3.8.1p1 FreeBSD-20060123

    What precautions are needed prior to upgrading OpenSSL?

    Does Apache 2.2.3 need to be upgraded as well?

    Does mod_perl have to be upgraded as well?

    What commands do I need to perform to upgrade OpenSSL?

    Thank you in advance.
Question by:supercell29
    LVL 61

    Expert Comment

    1) upgrade sources using csup (Which is not present in outdated 5.x and you should install cvsup)
    supfile could look like this:
    *default base=/usr
    *default prefix=/usr
    *default release=cvs delete use-rel-suffix compress
    *default tag=RELENG_5

    ports-all tag=RLEASE_5_EOL

    2) after you are done:
    pkg_add -r portupgrade
    portupgrade -r portupgrade
    portupgrade -Rf openssl  

    You can install openssl from ports and it will be of 0.9.8 series. Basically 0.9.7->0.9.8 update requires everything depending on it to be rebuilt
    Given EOL status of 5.x let me suggest updating (via clean reinstall) to 7.x. Once you get to 7.x or 6.x replace ports-all tag=. to get latest ports. Otherwise they will contain all the security holes over last year as evident when you install portaudit and run portaudit -Fda

    Some more commands for your for experts' entertainment:
    pkg_info -R openssl
    openssl version
    uname -a
    http -V
    perl -V

    Author Comment

    Well, unfortunately the admin prior did not use ports! Not sure why, but he didn't.


    pkg_info -R openssl :  pkg_info: can't find package 'openssl' installed or in a file!

    openssl version : OpenSSL 0.9.7e-p1 25 Oct 2004

    uname -a : FreeBSD (fqdn) 5.5-RELEASE FreeBSD 5.5-RELEASE #0: Tue Dec 19 11:54:59 CST 2006    email @ fqdn :/usr/src/sys/i386/compile/ZXYNG01  i386

    http -V : http: Command not found.

    perl -V : (see attachment)

    There is a lot running on this server presently: 40G MySQL database, RT ticketing, mrtg, PHP MyAdmin and NO ports! Sounds as though this won't be a very easy process! :(

    LVL 61

    Expert Comment

    Actually then it does not matter if you install some sort of Linux with all used packages included or install fresh FreeBSD.

    1) thats normal
    2) system's default openssl, replacing that will break ssh and leave you out for good.
    3) -RELEASE means: never patched sources.
    4) my misspelling - httpd -V
    5) Thanks, normal perl without exotic wonders.

    If you can afford 3-4 hours of downtime and somebody to look over your shoulder (like Windows admin) reinstall is easy:
    0) choose system: ubuntu server or opensuse or mandriva or freebsd
    1) create some tar backup of unique data.
    2) use g4u to transfer disk image to FTP server
    3) Install recent OS in minimalistic configuration
    4) Install packages you know and restore data from copies (1)
    5) if (4) fails - use loop mount over NFS or SMB and copy files over from old system
    6) If hopeless after planned time - restore (2)

    Or alternatively bring apps one by one to new server with maintainable OS...

    Author Comment

    So g4u "ghosts" any OS including FreeBSD?

    httpd -V gives the same result:

    httpd -V httpd: Command not found.

    I will have to test g4u on a test server before trying this on a live ticketing system.

    LVL 61

    Expert Comment

    You have to test your FTP server with files >4GB

    I just wanted to know if apache is "worker" or "prefork" type

    Author Comment

    Is there any other way of checking this?

    I will check my FTP for files >4GB.

    Thank you.
    LVL 61

    Accepted Solution

    To check apache you have to look at its startup scripts, at ps auxww, locate httpd, locate error.log and so on.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Title # Comments Views Activity
    llcommand 6 70
    How to analyze web traffic logs 10 76
    file path 14 58
    cron job says it ran, no results 25 81
    Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
    Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    Video by: Phil
    This video goes over how to configure and start a jail in FreeBSD.  This video is meant to supplement the article included with this course.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now