0

Due to heartbleed vulnerability I have recompiled apache with non vulnerable latest openssl(I had to keep old vulnerable openssl due to some dependency problem). It is running fine and when doing heartbleed test for mydomain.com it says 'seems fixed or unaffected'. But if I do apachectl graceful and take test for heartbleed it says mydomain.com is vulnerable. If I do /usr/local/etc/rc.d/apache2 restart or apachectl restart there is no problem.

1)My question is why it takes old openssl library when doing apachectl graceful only?

2)What is the difference between apachectl restart and apachectl graceful when accessing openssl libraries?

Harikrishnan
  • 1,057
  • 2
  • 14
  • 31

1 Answers1

3

There is no difference between apachectl restart and graceful in terms of loading libraries. apachectl graceful sends the SIGUSR1 signal instead of SIGTERM so that open connections have the oppurtunity to close instead of being interrupted. see apachectl man page

You may have 2 installations of apache on your system. If apache was installed through your package manager and you didn't remove it before you recompiled then that could explain the bizarre test results. You could be starting apache with /usr/local/etc/rc.d/apache2 restart which would start your recompiled instance. Then when you used apachectl which is really /usr/sbin/apachectl it started your vulnerable installation and you failed the check.

Creek
  • 1,356
  • 1
  • 8
  • 10