Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 42806 invoked from network); 23 Feb 2010 01:15:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 23 Feb 2010 01:15:56 -0000 Received: (qmail 30029 invoked by uid 500); 23 Feb 2010 01:15:52 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 29958 invoked by uid 500); 23 Feb 2010 01:15:52 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 29949 invoked by uid 99); 23 Feb 2010 01:15:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Feb 2010 01:15:52 +0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [207.106.84.159] (HELO atlas.jtan.com) (207.106.84.159) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Feb 2010 01:15:45 +0000 X-JTAN-Outgoing-From: sctemme@apache.org X-JTAN-Outgoing-To: X-JTAN-Received: c-67-188-201-250.hsd1.ca.comcast.net [67.188.201.250] X-JTAN-Recipient: X-JTAN-AntiSPAM: not spam, Outgoing not scanned X-JTAN-AntiVirus: Found to be clean, Outgoing not scanned Received: from [10.11.0.108] (c-67-188-201-250.hsd1.ca.comcast.net [67.188.201.250]) (authenticated bits=0) by atlas.jtan.com (8.12.8p1/8.12.8) with ESMTP id o1N1FMgU023357 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Tue, 23 Feb 2010 01:15:24 GMT From: Sander Temme Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: multipart/signed; boundary=Apple-Mail-15-817713501; protocol="application/pkcs7-signature"; micalg=sha1 Date: Mon, 22 Feb 2010 17:15:22 -0800 In-Reply-To: <1266808651.775.25.camel@linuxprod2> To: users@httpd.apache.org References: <1266808651.775.25.camel@linuxprod2> Message-Id: <43661AD7-3442-4D92-A081-2835C36884B4@apache.org> X-Mailer: Apple Mail (2.1077) Subject: Re: [users@httpd] How do I pick up correct version of SSL --Apple-Mail-15-817713501 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 21, 2010, at 7:17 PM, John Iliffe wrote: > I have just created a new server running Red Hat EL5.4. I decided to > update the version of Apache to 2.2.14 at the same time. >=20 > I compiled with "enable-ssl=3D" but the log shows = that > the openssl in use is the default shipped with the operating system. > How do I get Apache to pick up the proper openssl version? Two issues: 1) As Igor points out, --with-ssl=3D/foo/bar/openssl steers the Apache = build system to the OpenSSL installed under /foo/bar. The build system = will pick up the include and lib subdirectories. If your OpenSSL is = 0.9.8x, you may have to set and export = LD_LIBRARY_PATH=3D/foo/bar/openssl/lib before you ./configure to make = the test programs pick up the right libraries as opposed to the system = copies. =20 2) At runtime, the httpd binary needs to find the libssl.so and = libcrypto.so. It seems that on Linux (or in the httpd build system in = particular), rpath doesn't work so the path to the libraries is not = hardcoded in the binaries. If you compiled against your own OpenSSL = 0.9.8x, the runtime will pick up the system copy unless you set and = export LD_LIBRARY_PATH=3D/foo/bar/openssl/lib on the shell that starts = the webserver. A couple of LoadFile directives in your config may also = help.=20 3) It gets worse. On Red Hat, the C library links against OpenSSL for = the Kerberos stuff, and EVERYTHING (including httpd) links against the C = library. This means that the system copy of OpenSSL gets loaded when = httpd starts, before it loads mod_ssl.so and resolves the dynamic = library bits in it. Hence, you are likely to end up pulling in the = system OpenSSL, whatever steps from 2) above you might try to make it = otherwise. Nor will tearing out your hair help. If your own OpenSSL is = not 0.9.8x (but 1.0.0z or 0.9.7y), this should not be a problem. =20 Enjoy,=20 S. > I have a horrible feeling that I have missed something important in = the > config but I have had no success so far in finding it. >=20 > Thanks in advance. >=20 > John >=20 >=20 >=20 >=20 > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server = Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org >=20 >=20 --=20 Sander Temme sctemme@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF --Apple-Mail-15-817713501 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFMzCCBS8w ggMXoAMCAQICAwVx1DANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wODA3MDYxNTQzMzRaFw0x MDA3MDYxNTQzMzRaMDoxFTATBgNVBAMTDFNhbmRlciBUZW1tZTEhMB8GCSqGSIb3DQEJARYSc2N0 ZW1tZUBhcGFjaGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKsWFApS17cR 51oTARVEphn9w7VKL2p+HqnTJOF7CnihobEp4um9w3c0bcbXruKbjfwzBiaRAv0BGkOezB8XuHpQ r3abklf7bkvFqYHLaj9ANm2wj2qrUXasaPgsOIXNiPa0qkpxBHk8Of43Q/Jxv4YGF11DvTfXPpbl qXkJ07pk6fC3MSDAsZc5mdGtIhDY/LGgxr/A6NhwTG3hxwE9zPt/B7v/bctU4ZWxloeC/eCpCYUU fk3BGwoU53iEXyMpe/Kz2iIyZe5dimDeOigqC3Cye99EvtjL2ZavRsqL00j5M9q/MPYh1WsgVOaZ WxpEnnd+e5kPTjTL7hAbJzv7cwIDAQABo4H+MIH7MAwGA1UdEwEB/wQCMAAwVgYJYIZIAYb4QgEN BEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFkIG92ZXIgdG8gaHR0 cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGC NwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW aHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAdBgNVHREEFjAUgRJzY3RlbW1lQGFwYWNoZS5vcmcwDQYJ KoZIhvcNAQEFBQADggIBAITHPZWMXBXh1rSeQ9yJoMBXr0b5bOxUX3V/KsgYLCTu5d0GNB2HHjcq dHSxbIm7ezIGxTFA491q9wOHQZmYvQzMV2zQUqLrZmNFYPCC1/Q5Gw43CnYQ0StGX2frOKNIp7fM KpXux9jjao8sG1Sa0ubclAx3u50wz3k9mEfFhtrZsYLWbruitZeozslMJhG8tFoRH7J68QmhnyCK GniNLSu4K6SykM5DOH3GzDKsbjiPqQ7Y+h8qj309oO81fAWo6JdcVdxivFS7KgHAt+nQS1oaiSeV W25idOBsTiwWBxkcfq3DltK0HZe6QWMYYvgq2BoHAwGGy+wHjEk8dc/rtf4HAnpee/3Quc3lN+IK UHYC2RlgtG2JirizdUhkxdsaw6Vl+yk3FvduWJUZjEh7zBMKRUoSOlo6i8ApCNSgHk1QQSI2wPqs gltpxhQ8B3wCdUNbywntZVyaNp5CgmkBxOs330nkl+jQsZvE5XmYyZt20W6SuCaV1YYHHducXdc/ DNUrSdsdw2nNmVOqZ3xC53UXX/tuPquLqLbSs2W1vtbCAsdzTalNbqG64OrG74I2C191RM05l2jp AHfoz+9OZ+7q2pSGYdbACxY3Rke2s7jqPD/X9aukO50ZDibLEGW8wdL+0yxZLGaR2zJ9K8yo4YuO 09oUHORRtY0WoMRX0FFTMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UE CxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9y aXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwVx1DAJBgUrDgMCGgUAoIIB hzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMDAyMjMwMTE1MjJa MCMGCSqGSIb3DQEJBDEWBBSiynear1h0TYVTkjC2jvVmBUF5YzCBkQYJKwYBBAGCNxAEMYGDMIGA MHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj YWNlcnQub3JnAgMFcdQwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0Ex HjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5n IEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMFcdQwDQYJKoZI hvcNAQEBBQAEggEAkGxREFO78yqnnNRlK6JPnRpRj5QQp511O+Qc5t1HP8Ewg60tr646CWV5LxyM HDvXS0E4w6D/KXXx0XUqTMYas9X67nTJDq3IXzP+CjjsyCiDlGomkjXwos+dYJpzt0HvvAgvfsUi Ngy1UWVNOfspNPoJKbSWISsNAa88FW8NFWI8/QnvIw87a1V08MzO6zKxa2F9UYL0bPuRLo0FMUK2 oRCyLZPwzPf9bFaqlnTtpNdakEzdRkJmqqBxpHSgd5xDaCJywtzfZDgl2kkB7GuW12qBopcyWe/g aqTDBvz8KMz3iKQPOMz9y4TJzlPYIizwY731ubkV3Swd0a/FnxfPXQAAAAAAAA== --Apple-Mail-15-817713501--