httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Jacques <devexplo...@hotmail.com>
Subject RE: [users@httpd] How do I pick up correct version of SSL
Date Tue, 23 Feb 2010 07:38:38 GMT

Thanks for the clarification onthis topic... but any tip how we can cope with httpd linked
with openssl 0.9.8x on redhat?

Apparently there is a requirement of openssl not to overwrite the default version provided
with the OS. 

How do we specify to httpd the library to take at runtime?
How can we check which library is taken by httpd at runtime?

Thanks a lot for help,

P.

> From: sctemme@apache.org
> Date: Mon, 22 Feb 2010 17:15:22 -0800
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] How do I pick up correct version of SSL
> 
> 
> On Feb 21, 2010, at 7:17 PM, John Iliffe wrote:
> 
> > I have just created a new server running Red Hat EL5.4.  I decided to
> > update the version of Apache to 2.2.14 at the same time.
> > 
> > I compiled with "enable-ssl=<path to openssl>" but the log shows that
> > the openssl in use is the default shipped with the operating system.
> > How do I get Apache to pick up the proper openssl version?
> 
> Two issues:
> 
> 1) As Igor points out, --with-ssl=/foo/bar/openssl steers the Apache build system to
the OpenSSL installed under /foo/bar.  The build system will pick up the include and lib subdirectories.
 If your OpenSSL is 0.9.8x, you may have to set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib
before you ./configure to make the test programs pick up the right libraries as opposed to
the system copies.  
> 
> 2) At runtime, the httpd binary needs to find the libssl.so and libcrypto.so.  It seems
that on Linux (or in the httpd build system in particular), rpath doesn't work so the path
to the libraries is not hardcoded in the binaries.  If you compiled against your own OpenSSL
0.9.8x, the runtime will pick up the system copy unless you set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib
on the shell that starts the webserver.  A couple of LoadFile directives in your config may
also help. 
> 
> 3) It gets worse.  On Red Hat, the C library links against OpenSSL for the Kerberos stuff,
and EVERYTHING (including httpd) links against the C library.  This means that the system
copy of OpenSSL gets loaded when httpd starts, before it loads mod_ssl.so and resolves the
dynamic library bits in it.  Hence, you are likely to end up pulling in the system OpenSSL,
whatever steps from 2) above you might try to make it otherwise.  Nor will tearing out your
hair help.  If your own OpenSSL is not 0.9.8x (but 1.0.0z or 0.9.7y), this should not be a
problem.  
> 
> Enjoy, 
> 
> S.
> 
> > I have a horrible feeling that I have missed something important in the
> > config but I have had no success so far in finding it.
> > 
> > Thanks in advance.
> > 
> > John
> > 
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> > 
> 
> 
> 
> -- 
> Sander Temme
> sctemme@apache.org
> PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
> 
> 
> 
 		 	   		  
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
Mime
View raw message