Forum OpenACS Q&A: Re: https is down

19: Re: https is down (response to 1)
Posted by Andrew Piskorski on
Ah, silly me! My eye missed it every other time I read this thread - seems that just about everyone above who was reporting crashing AOLservers also said they were using OpenSSL 0.9.6x.

Bruno didn't say exactly what version he was using, but the Red Hat link he gave seems to show that the latest updated packages for all consumer Red Hat distributions prior to Red Hat 9.0 are using an OpenSSL older than 0.9.7x. Which is suspicious, as it's possible that RH backported the RSA blinding security patch but not the thread-safety fix.

So the fix should be simple, just upgrade to 0.9.7b. Note that Scott Goodwin says that nsopenssl 2.1a requires OpenSSL 0.9.7x or later anyway.