# emerge apache without ssl heartbeat [solved]

## stmiller

It light of this vuln, http://seclists.org/oss-sec/2014/q2/27 (CVE-2014-0160) I am curious if it is possible to emerge apache without the mod_ssl heartbeat feature.

Is that possible?

I can see that some TLS servers of various vendors have heartbeating disabled and I am curious if I can do the same with Gentoo. Ex:

```
    

$ openssl s_client -connect www.qualys.com:443 -tlsextdebug

[skip] 

   PSK identity hint: None

    SRP username: None

    Start Time: 1396916504

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

B

HEARTBEATING

140408723089064:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:t1_lib.c:2566:

```

Last edited by stmiller on Tue Apr 08, 2014 3:22 pm; edited 1 time in total

----------

## stmiller

Welp, answering my own question. 

Emerging openssl with use flag of -tls-heartbeat does the trick. Thanks,

----------

## lagalopex

Alternative (and offtopic) to fix openssl but keep heartbeat enabled:

Update to dev-libs/openssl-1.0.1g (is already in portage)

----------

## SamuliSuominen

1.0.1g is now stable on both, amd64 and x86, so time to `emerge --sync` and upgrade

----------

