1
I want to do some test, so I want to set up an Apache HTTP server with the vulnerable OpenSSL (specifically with the Heartbleed bug), and I'd better do it from source.
How do I do that?
ytliu
Posted 2014-04-10T01:06:20.030
Reputation: 111
How to setup Apache HTTP server with the vulnerable OpenSSL
Answers
1
There's an Amazon AMI image available online. Aside from that, just install the version of OpenSSL that Heartbleed is present in. I believe anything below "g" will suffice.
ScottMcGready
Posted 2014-04-10T01:06:20.030
Reputation: 166
OpenSSL 1.0.1 through 1.0.1f (plus 1.0.2-beta) are the vulnerable versions. Various flavors of OpenSSL 0.9.8 are still in circulation, and installing a "pre-g" edition of that won't give you a vulnerable server. – Mark – 2014-04-10T05:39:33.260
1
If you just need to set up a vulnerable webserver for testing, then you do not need to bother with Apache. The openssl command already includes all batteries. It is available on (almost) all Linux distributions, Windows packages are probably included with any WAMP package.
The following three commands create a private key, append a self-signed certificate for localhost to it and finally start a HTTPS service that outputs some parameters when visited.
openssl genrsa -out server.pem 1024
openssl req -new -x509 -key server.pem -subj /CN=localhost >> server.pem
openssl s_server -www
In your browser (or test program), you can now use the URL https://localhost:4433/.
Lekensteyn
Posted 2014-04-10T01:06:20.030
Reputation: 5 236
Just use the vulnerable version, making sure to include the heartbeat extension. – Synetech – 2014-04-10T17:16:12.997