httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From geb...@ameritech.net
Subject Re: [users@httpd] compiling openssl for openssl+apache+certs
Date Tue, 25 Feb 2003 22:39:47 GMT

Geoff,

Good reply.

At 23:37 (UTC-0500) on Mon, 24 Feb 2003 Geoff Thorpe said:

= Hi,
= 
= * gebser@ameritech.net (gebser@ameritech.net) wrote:
= > 
= > Reading the docs on compiling openssl-0.9.7, I've come to some
= > questions and thought that there's more than enough
= > intelligence in this group to get some clarity.
= 
= I'll try briefly to give you an adequate answer - but openssl-users
= would be a good list to get further detail on openssl installation
= issues. As for the Apache issues *relating* to openssl, I'm just sifting
= through them myself...

Good.  That's the only stuff I'm interested in right now too.

= 
= > First I was thinking about the args to .config.  The
= > "--prefix" option specifies where to put the generated
= > binaries, right?
= 
= More or less, it's the traditional sort of "--prefix=<path>" thing;
= you'll get executables in <path>/bin, headers in <path>/include, etc.

Yeah.  That much I got from the INSTALL file that came with openssl.  
To further muddy the waters, there's also a "--prefix" option to "make
install".  If "./config --prefix=xxx" puts executables in/under xxx,
then what does "make install --prefix=xxx" do?  If I specify a path when 
running "./config ...", do I also need to specify the same path when 
doing "make install"?  Or will the second know about the first?

= 
= > I'm compiling openssl so I can use
= > apache+ssl+certificates.  I'm thinking that I don't really
= > need all the binaries this compile of openssl is going to
= > create.  Which of the generated binaries will I really need?
= > And where will I need to put them when the compile is
= > finished?
= 
= Depends - if you will generate your certificates+keys (and what-not)
= straight away and then won't need to meddle with things at run-time, you
= might be best to generate those certificates/keys/... and then not worry
= about openssl at all from that point on. 

Generating certificates and keys hasn't been a problem.  I've already 
done that with openssl v.0.9.6d.  But of course I don't want to use that 
version.  I can still use those same certificates and keys when (if) I 
get openssl v.0.9.7 compiled, yes?



= The only issue then will be
= whether you go with static or dynamic linking - as an openssl developer
= I can tell you that the official line there is that no binary
= compatibility is guaranteed or even likely between releases (for now at
= least) and that use of shared-libraries is very much a caveat emptor.
= That said, Redhat does it so it must be right, right? :-)

I haven't found anything suggesting that Redhat offers an openssl above 
v.0.9.6d for its 7.2 release.  If someone has information to the 
contrary, please let me know.

Another possibility is that the Stronghold server may run on 7.2.  Has 
anyone done that?


= 
= If you statically link and you won't need to generate or manipulate
= keys/certs/etc at run-time, then don't bother installing openssl and
= delete the tree completely once you're done. BTW: I'm not at all sure
= about the "--with-ssl" support in apache's configuration code - it's why
= I decided to reply to your post despite only being a member of this list
= for an hour or two because I just happened to be wading through that
= *very* code when your post arrived!! If my understanding is correct -
= there is some breakage in there that makes it questionable to try and
= build against an uninstalled openssl tree (which would contradict all
= the advice I've given so far). Hmm.

Welcome to the group.

Yeah, static binaries aren't the way to go-- not for a webserver anyway.  
Well, for narrow purposes maybe.  Most of the time there's always 
another Next Great Thing you want to do on the site and this requires 
some new module.  I couldn't see recompiling the whole webserver every 
time you wanted to add some additional functionality.


= 
= What will you need to be able to do, w.r.t. crypto maintenance, from
= your Apache installation once you're set up?

It's for a little e-commerce site.  No credit cards.  I want to let 
certain people log in from the world to upload files.  So there'll need 
to be certificates and passwords.  What do you mean by "crypto 
maintenance"?


Geoff,  thanks for your comments.  I'm sure we'll be all over this stuff 
again.


= 
= Cheers,
= Geoff
= 
= 

'Til next time,
ken



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message