Apache Friends Support Forum

[CBman]

We recently went through our yearly security review of a website we are running on Xampp with Joomla and had a question concerning the version of Mod_ssl included with Xampp.

According to PHPinfo, the version of Mod_ssl in use is "2.2.21". Since the Mod_ssl crew never mentions this exact version number, but it does exactly match the Apache version, i assume that the version reported is not entirely accurate.

I need to to confirm what version of Mod_ssl is included, then if necessary upgrade to the version specified below.

Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1

Vulnerability Solution:
Download and apply the upgrade from: http://www.modssl.org/
Upgrade to version 2.8.19 of mod_ssl, which was released on July 16th, 2004.
The source code for this release can be downloaded from mod_ssl's website. To obtain binaries for your platform, please visit your vendor's site. Please note that some operating system vendors choose to apply the most recent mod_ssl security patches to their distributions without changing the package version to the most recent mod_ssl version number.

[JonB]

Please note that page refers to an out of date Apache version -

Current Version: mod_ssl 2.8.31 for Apache 1.3.41

Good Luck

[CBman]

Yes, i'm aware. It hasn't been updated since 2008.

However for our compliance review i need to know what version is being used. The site we are running does require SSL and strict security due to the nature of the content.

Sadly, they will not accept "Sure it's out-dated, but it's more secure than Apache-ssl"

[hackattack142]

To put it plainly, if you have the latest Apache 2.x installed then you should have the latest mod_ssl. The version number shown is the version of mod_ssl included. You should ignore what you see on the modssl.org site (including the version numbers) as it is old and only applies to Apache 1.3.x as said. Mod_ssl for Apache 2 is bundled with the Apache source and it is built when Apache is compiled. As far as I can tell, they are being maintained together and you will probably not find it separate, at least for Windows (I cannot speak for the Linux side). XAMPP 1.7.7 has the latest Apache 2.2 included so you should also have the latest mod_ssl.

[Sharley]

@CBman
If you go to \xampp\apache\modules folder and find mod_ssl.so...
(the Apache module used in the 1.7.7 XAMPP release)

...and right click on it then select Properties.

Next select the Version tab where you will find all the relevant details you are seeking from within the module file.
(A good hex editor will also reveal the file's content).

Best wishes.