{"id":57,"date":"2014-04-09T08:55:27","date_gmt":"2014-04-09T14:55:27","guid":{"rendered":"https:\/\/swingleton.com\/blog\/?p=57"},"modified":"2014-04-09T08:55:27","modified_gmt":"2014-04-09T14:55:27","slug":"patching-openssl-on-windows-running-apache-fixing-the-heartbleed-bug","status":"publish","type":"post","link":"https:\/\/swingleton.com\/blog\/2014\/04\/patching-openssl-on-windows-running-apache-fixing-the-heartbleed-bug\/","title":{"rendered":"Patching OpenSSL on Windows running Apache &#8211; fixing the HeartBleed bug"},"content":{"rendered":"<p>I woke up this morning to learn that there&#8217;s a week-old bug in OpenSSL that is all over the news. I feel very guilty for not knowing about this sooner, as I am running OpenSSL on my Windows 2008 that we are using for data collection at my job with the university. But, better late than never, I shut down Apache and started researching how to patch this thing as quickly as possible.<\/p>\n<p>I am a programmer, not a server admin, but I know enough &#8211; and I&#8217;m controlling enough &#8211; that I&#8217;d rather manage my own machine. And I&#8217;m lucky enough to have that privilege and that responsibility with my job.<\/p>\n<p>But it also means figuring stuff out for myself. And sometime just guessing to see if something will work. And after an hour of Googling to no avail, I just gave up and went for a best-guess solution. Fortunately, this seemed to work. And since it seems no one else has blogged about it yet, here&#8217;s my take.<\/p>\n<p>So, if you don&#8217;t know if your server&#8217;s vulnerable, <strong>STEP 1<\/strong> is to check this site to test it:\u00a0<a title=\"Test your server for HeatBleed CVE-2014-0160\" href=\"http:\/\/filippo.io\/Heartbleed\/\">http:\/\/filippo.io\/Heartbleed\/<\/a><\/p>\n<p><strong>STEP 2<\/strong>: If your server is vulnerable, stop the Apache service. Just do it. The install won&#8217;t take that long.<\/p>\n<p><strong>STEP 3<\/strong>: Now you need to update OpenSSL. For those of us lucky enough to be running Windows like me (that&#8217;s irony, folks), you&#8217;ll need to get the appropriate version of the compiled installer for your version of Apache. I&#8217;m running the 32-bit version &#8211; I don&#8217;t even know if there is a 64-bit version for Windows &#8211; so I chose the &#8220;Win32 OpenSSL v1.0.1g&#8221; version from\u00a0<a title=\"OpenSSL installers for Windows\" href=\"http:\/\/slproweb.com\/products\/Win32OpenSSL.html\">http:\/\/slproweb.com\/products\/Win32OpenSSL.html<\/a><\/p>\n<p><strong>STEP 3<\/strong>: Run the installer. I chose the option to copy the binaries to the &#8220;\/bin&#8221; directory, because I figured I&#8217;d need to copy them over to Apache.<\/p>\n<p><strong>STEP 4<\/strong>: Open the\u00a0<strong>C:\\OpenSSL-Win32\\bin<\/strong> directory. There are two binaries in there that match files Apache has in it&#8217;s bin directory:\u00a0<strong>openssl.exe<\/strong> and\u00a0<strong>ssleay32.dll<\/strong>. Find these and copy them to your <strong>Apache\\bin<\/strong> directory, replacing the older files there. You might want to make backups of those 2 files before you over-write them.<\/p>\n<p><strong>STEP 5<\/strong>: Restart Apache. If Apache restarts, go back to the test web site (STEP 1) and see if you fixed. Hopefully, you will be.<\/p>\n<p>Good luck!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I woke up this morning to learn that there&#8217;s a week-old bug in OpenSSL that is all over the news. I feel very guilty for not knowing about this sooner, as I am running OpenSSL on my Windows 2008 that we are using for data collection at my job with the university. But, better late [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-57","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/posts\/57","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/comments?post=57"}],"version-history":[{"count":1,"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":58,"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/posts\/57\/revisions\/58"}],"wp:attachment":[{"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/media?parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/categories?post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swingleton.com\/blog\/wp-json\/wp\/v2\/tags?post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}