httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: [users@httpd] How do I pick up correct version of SSL
Date Tue, 23 Feb 2010 01:15:22 GMT

On Feb 21, 2010, at 7:17 PM, John Iliffe wrote:

> I have just created a new server running Red Hat EL5.4.  I decided to
> update the version of Apache to 2.2.14 at the same time.
> 
> I compiled with "enable-ssl=<path to openssl>" but the log shows that
> the openssl in use is the default shipped with the operating system.
> How do I get Apache to pick up the proper openssl version?

Two issues:

1) As Igor points out, --with-ssl=/foo/bar/openssl steers the Apache build system to the OpenSSL
installed under /foo/bar.  The build system will pick up the include and lib subdirectories.
 If your OpenSSL is 0.9.8x, you may have to set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib
before you ./configure to make the test programs pick up the right libraries as opposed to
the system copies.  

2) At runtime, the httpd binary needs to find the libssl.so and libcrypto.so.  It seems that
on Linux (or in the httpd build system in particular), rpath doesn't work so the path to the
libraries is not hardcoded in the binaries.  If you compiled against your own OpenSSL 0.9.8x,
the runtime will pick up the system copy unless you set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib
on the shell that starts the webserver.  A couple of LoadFile directives in your config may
also help. 

3) It gets worse.  On Red Hat, the C library links against OpenSSL for the Kerberos stuff,
and EVERYTHING (including httpd) links against the C library.  This means that the system
copy of OpenSSL gets loaded when httpd starts, before it loads mod_ssl.so and resolves the
dynamic library bits in it.  Hence, you are likely to end up pulling in the system OpenSSL,
whatever steps from 2) above you might try to make it otherwise.  Nor will tearing out your
hair help.  If your own OpenSSL is not 0.9.8x (but 1.0.0z or 0.9.7y), this should not be a
problem.  

Enjoy, 

S.

> I have a horrible feeling that I have missed something important in the
> config but I have had no success so far in finding it.
> 
> Thanks in advance.
> 
> John
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 



-- 
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




Mime
View raw message