Can I upgrade OpenSSL version used by apache without recompiling the server but just mod_ssl?

Solution 1:

The mod_ssl.so library is dynamically linked to OpenSSL:

$ ldd mod_ssl.so | egrep 'lib(ssl|crypto)'
    libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f23f7209000)
    libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f23f6e26000)

As long as your upgrade of OpenSSL does not change the path to the library, all you need to do is upgrade OpenSSL, and then restart Apache so that the new OpenSSL library is loaded. The last time that OpenSSL changed the library paths was in 1.0.0, I believe, so if you are updating from 1.0.0 or later, it should be fine. If you are upgrading from an older version (e.g. 0.9.8), you will need to rebuild mod_ssl after rebuilding OpenSSL.

Solution 2:

I strongly suggest upgrading your distribution, both Apache 2.2 and OpenSSL 0.9 are VERY, VERY, VERY old and hardly supported any longer.

If that is not an option, you will need to install dev headers for your installed OpenSSL version and recompile mod_ssl against them. That is, if you are using Gentoo or other "do it yourself" kind of distro.

Else, just man up and upgrade. It is LONG overdue in your case.