Help Upgrade XAMPP 5.6.8 OPENSSL

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Help Upgrade XAMPP 5.6.8 OPENSSL

Postby pylonx » 20. May 2015 22:13

Hello Friends.

I work for a small outdoor retailer where I'm lucky enough to build internal web apps that benefit different departments.

We recently updated my Web Servers that are set up on the intranet, not for public use. I updated to XAMPP 5.6.8.

We have a company that scans our systems to make sure we are compliant, PCI and otherwise. This company keeps telling us my internal web server has vulnerabilities, specifically with openssl and needing a "server certificate signed with a public key length of at least 2048 bits".

XAMPP 5.6.8 is using openssl 1.0.1l

But openssl 1.0.1l has vulnerabilities. ... ssl:1.0.1l

I would like to try to update openssl on my server to either 1.0.1m or 1.0.2a but I have no idea where to start. I've googled with little luck.

Could someone help point me in the right direction? I'd Appreciate it!
Posts: 21
Joined: 19. October 2010 19:02
Operating System: Win7, WinSrv2012, XAMPP5.6.8

Re: Help Upgrade XAMPP 5.6.8 OPENSSL

Postby glitzi85 » 20. May 2015 23:04

You would have to recompile Apache from source to do that.

There is an build available at Apachelounge using 1.0.1m:
Code: Select all
- Stop Apache
- Rename the apache folder in xampp to apache.old
- Download zip:
- Copy the Apache24 directory from the zip to xampp and rename it to apache
- delete apache\config and copy apache.old\config to apache\
- copy libssh2.dll from apache.old\bin\ to apache\bin\
- Restart Apache
- Optionally copy the batch-files from old to new (they are not needed for the operation of Apache)

Of course you still have to generate new Certificates to pass your compliance check.
User avatar
Posts: 1920
Joined: 05. March 2004 23:26
Location: Dahoim

Re: Help Upgrade XAMPP 5.6.8 OPENSSL

Postby gsmith » 20. May 2015 23:28

Forget 1.0.2 for now, I'm not going to get into the "why".

But for OpenSSL 1.0.1m you can use from ... x#OSSLUP24

Follow the instructions carefully in the readme.1st.txt file, especially about backing up the files you will be replacing first!

You do not have to worry about the apr_crypto_openssl.dll file since it was not included in your Xampp.

This particular CVE you have pointed out is simply a DOS, rated Moderate, it'll crash Apache. There seems to be no remote code execution exploitable vector. There are probably bigger fish to fry in your ssl config (< 2048 bit key, disabling SSLv3, not using old CBC ciphers, etc.). 1.0.1m removed all Export ciphers, SSLv2 was disabled long ago in Apache 2.4 so that's a plus.

I can't believe they are nagging you on an internal only, non-internet facing development computer. Sounds like security theater.
Posts: 193
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Help Upgrade XAMPP 5.6.8 OPENSSL

Postby pylonx » 21. May 2015 22:51

Thank You, Both!

I have multiple servers so I will try both ways to update
Posts: 21
Joined: 19. October 2010 19:02
Operating System: Win7, WinSrv2012, XAMPP5.6.8

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 57 guests