I wasn't sure which forum topic to put this in, but here it is:

I installed PHP on a Windows/IIS server using the Windows binaries. Apparently OpenSSL 0.9.8r comes with the latest PHP binary (5.3.8). So I tried upgrading OpenSSL on this server from 0.9.8r to 1.0.0e. I replaced libeay32.dll and ssleay32.dll in the PHP folder with the 1.0.0e versions of these dlls.

Now when I look at phpinfo(), it show OpenSSL support = enabled and OPENSSL_CONF = D:\PHP\extras\OpenSSL-Win32\bin\openssl.cfg, which is the config file for 1.0.0e.

However, it also shows this:

OpenSSL Library Version = OpenSSL 1.0.0e 6 Sep 2011
OpenSSL Header Version = OpenSSL 0.9.8r 8 Feb 2011

Does anyone know why the library version would be different from the header version? How can I change the header version to 0.9.8r?

Any help would be greatly appreciated!

    GentlemanJack;10991367 wrote:

    Does anyone know why the library version would be different from the header version?

    Yes, because you never recompiled PHP from source, letting it grab the new 1.0.0e header files on your system rather than the 0.9.8r files used to compile the binary you're still using.

    GentlemanJack;10991367 wrote:

    How can I change the header version to 0.9.8r?

    I'm guessing you meant "to 1.0.0e" ? Either way, the answer is: recompile PHP from source.

    Any reason why you feel the need to upgrade the bundled library?

    EDIT: Also, note that the first (and last) time I ever tried to compile PHP on a Windows box was such a huge PITA that I immediately abandoned the effort and just stuck to *nix platforms (I would never trust/want one of my dedicated boxes to run Windows anyway :p).

    In other words, if you decide it's worth the trouble to go down this route... I wish you the best of luck!

      Brad, thanks for responding.

      Yes, I did mean to say that I wanted to change the OpenSSL header version to 1.0.0e. Compiling PHP from the source on Windows sounds intimidating...

      So I guess my next question is, isn't it usually a good idea to upgrade to the latest release of any given software?

      But if OpenSSL 0.9.8r is just as good, I will stick with that.

        GentlemanJack;10991376 wrote:

        So I guess my next question is, isn't it usually a good idea to upgrade to the latest release of any given software?

        Not necessarily, no. In fact, in a production environment, I would say almost always no (at least, conditionally no). In development, sure, why not. Otherwise, let others live on the bleeding-edge and live through the experience of finding the new bugs introduced. 😉

        Plus, there's always the adage I sometimes have ignored (and subsequently regretted doing so): "If it ain't broke, don't fix it!"

          Okay, thanks. In that case I'll just use 0.9.8r. This may save me a lot of time and hassle!

            bradgrafelman wrote:

            Not necessarily, no. In fact, in a production environment, I would say almost always no (at least, conditionally no). In development, sure, why not. Otherwise, let others live on the bleeding-edge and live through the experience of finding the new bugs introduced. 😉

            It depends. For a production environment, it is almost always yes when the new version fixes a serious security vulnerability (though sometimes you can directly apply a patch). But if the new version is primarily about new features, then probably no, not until more testing has been done.

              Write a Reply...