I recently upgraded Open_SSL and Apache to the latest stable version. I compiled them from source.

Here was my Apache configure command:

./configure --with-included-apr --prefix=/usr/local/apache2 \
--with-pcre=/usr/local \
--enable-so \
--enable-rewrite=shared \
--enable-expires=shared \
--enable-headers=shared \
--enable-setenvif=shared \
--enable-include=shared \
--enable-authz_host=shared \
--enable-log_config=shared \
--enable-ssl=shared \
--enable-unique-id=shared \
--disable-imap \
--disable-autoindex \
--disable-userdir

When I start Apache, I see the following in my error_log.

[...]
[Wed Mar 31 18:41:11 2010] [info] Init: Initializing (virtual) servers for SSL
[Wed Mar 31 18:41:11 2010] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/0.9.8l
[...]
[Wed Mar 31 18:41:12 2010] [info] Init: Initializing (virtual) servers for SSL
[Wed Mar 31 18:41:12 2010] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/0.9.8l
[Wed Mar 31 18:41:12 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8n configured -- resuming normal operations
[Wed Mar 31 18:41:12 2010] [info] Server built: Mar 31 2010 18:38:51

Why does mod_ssl appear to be compiled against OpenSSL version 0.98.l? I have the latest version and you can see that it is picking it up later in the log file. (OpenSSL version 0.9.8n)

I also don't understand why there are multiple entries re: initialization.

Thanks.

You probably have the openssl package installed from your OS (what is your OS btw). My advise is to not bother compiling openssl from source since it tends to conflict with the default version that comes with the OS and removing that will screw with dependancies. If you're worried about security openssl the distro providers update openssl each time a security vulnerability is found but don't always increment the version number (they often just patch the security hole but don't add new features), i.e the ubuntu karmic openssl version is "openssl 0.9.8g-16" notice the -16 that's the 16th revision by ubuntu.

I'm using Gentoo.

I already tried emerging dev-libs/openssl-0.9.8n. That's how I upgraded openssl before recompiling apache.

Note that I am compiling apache and php from tarball although I used portage (the gentoo package mgmt tool) to update openssl.

I also did a find on my system for libssl.so and only found the one copy, which is correct.

Ah gentoo that would explain the compiling.

I'm no gentoo expert (never used it actually) but I'd still imagine you have 0.9.8l headers lurking somewhere.

OK, I found the problem, just not sure yet why it is happening.

strings mod_ssl.so |grep -i openssl
[...]
OpenSSL 0.9.8l 5 Nov 2009

Which is weird because mod_ssl.so is a file that was created today when I recompiled Apache, AFTER the upgrade. OpenSSL reports the correct version as well.

#openssl version
OpenSSL 0.9.8n 24 Mar 2010

OK, this is fixed now. I deleted the old version of mod_ssl, and ran a make clean, configure, make, make install.

I checked the mod_ssl file and the error_log file and they are reporting the new OpenSSL version now.