Patching OpenSSL on Windows running Apache – fixing the HeartBleed bug

I woke up this morning to learn that there’s a week-old bug in OpenSSL that is all over the news. I feel very guilty for not knowing about this sooner, as I am running OpenSSL on my Windows 2008 that we are using for data collection at my job with the university. But, better late than never, I shut down Apache and started researching how to patch this thing as quickly as possible.

I am a programmer, not a server admin, but I know enough – and I’m controlling enough – that I’d rather manage my own machine. And I’m lucky enough to have that privilege and that responsibility with my job.

But it also means figuring stuff out for myself. And sometime just guessing to see if something will work. And after an hour of Googling to no avail, I just gave up and went for a best-guess solution. Fortunately, this seemed to work. And since it seems no one else has blogged about it yet, here’s my take.

So, if you don’t know if your server’s vulnerable, STEP 1 is to check this site to test it: http://filippo.io/Heartbleed/

STEP 2: If your server is vulnerable, stop the Apache service. Just do it. The install won’t take that long.

STEP 3: Now you need to update OpenSSL. For those of us lucky enough to be running Windows like me (that’s irony, folks), you’ll need to get the appropriate version of the compiled installer for your version of Apache. I’m running the 32-bit version – I don’t even know if there is a 64-bit version for Windows – so I chose the “Win32 OpenSSL v1.0.1g” version from http://slproweb.com/products/Win32OpenSSL.html

STEP 3: Run the installer. I chose the option to copy the binaries to the “/bin” directory, because I figured I’d need to copy them over to Apache.

STEP 4: Open the C:\OpenSSL-Win32\bin directory. There are two binaries in there that match files Apache has in it’s bin directory: openssl.exe and ssleay32.dll. Find these and copy them to your Apache\bin directory, replacing the older files there. You might want to make backups of those 2 files before you over-write them.

STEP 5: Restart Apache. If Apache restarts, go back to the test web site (STEP 1) and see if you fixed. Hopefully, you will be.

Good luck!

Leave a Reply