httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bennett, Tony" <Bennett.T...@con-way.com>
Subject RE: [users@httpd] Re: Delivery Status Notification (Failure)
Date Tue, 29 Jan 2013 22:58:25 GMT
We use the "--with-ssl=DIR" directive so that "we", the developers,
control which version of SSL is included in the Apache which we build.  
With our company's infrastructure out-sourced, we have little or no control 
of when our servers are updated.  So, we've elected to build and install
openssl in a non-standard location, so that it won't get replaced
by infrastructure... We specify that location to the Apache build-process
via "--with-ssl=DIR"...and have it statically linked into Apache.

Can you show the contents of your "config.nice".
It contains how "configure" was invoked the last time and may give a hint
as to how OpenSSL's location was determined.

Regarding your specific question of "which directory" to use...
Well, you mentioned you "built and installed" a new version of OpenSSL
(1.0.1c), so I assume you want to use that one.

When you ran openssl's Configure script, prior to building openssl, did you specify
a "--prefix" argument to Configure...???
If not, did you specify "--openssldir" agrument...

Here's what OpenSSL's Configure says in a snippet of its comments:
    # --openssldir  install OpenSSL in OPENSSLDIR (Default: DIR/ssl if the
    #               --prefix option is given; /usr/local/ssl otherwise)
    # --prefix      prefix for the OpenSSL include, lib and bin directories
    #               (Default: the OPENSSLDIR directory)
    #

As for the "inconsistent" versions...
...they all are probably correct... 

"rpm" says what "rpm" packages are installed on your system... but if you 
downloaded the openssl source, built it, and installed it... well "rpm" 
wouldn't know anything about it.

"whereis" - the my "non-linux" man page says "...locates the source, binary, and manuals sections
for specified files."
It says it looks for them here:
       /usr/share/man/*
            Directories containing manual files.
       /sbin, /etc, /usr/{lib,bin,ucb,lpp}

            Directories containing binary files.
       /usr/src/*
            Directories containing source code files.

But, if you didn't install the openssl which you built in those locations, then it wouldn't
find it there.



-tony

-----Original Message-----
From: Joe Hansen [mailto:joe.hansen.at@gmail.com] 
Sent: Tuesday, January 29, 2013 1:25 PM
To: users@httpd.apache.org
Subject: [users@httpd] Re: Delivery Status Notification (Failure)

Thanks for the super quick responses, Tony and Richard.

I did not use --with-ssl while running configure. I thought the
configure script will find the latest version intalled on the machine
because the openssl script is in the PATH (/usr/bin).

Before building and installing the new version of OpenSSL (1.0.1c), I
did not remove the previous version. However after building and
installing OpenSSL, the previous openssl script in /usr/bin was
overridden by the newer version.

Here are the outputs of various commands

$ uname -a
Linux my-redhat-box 2.6.32-276.el6.x86_64 #1 SMP

$ rpm -qa | grep openssl
openssl-1.0.0-25.el6_3.1.x86_64
openssl-devel-1.0.0-25.el6_3.1.x86_64

$ openssl version
OpenSSL 1.0.1c 10 May 2012

$ HEAD localhost
Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_jk/1.2.37

As you can see from above, the OpenSSL versions given by different
commands is inconsitent.

$ whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl
/usr/share/man/man1/openssl.1ssl.gz


Tony, if I need to use --with-ssl parameter (for the configure
script), I do not understand which directory that I need to use.

We use TrustWave for PCI compliance. I do not know how to check RedHat
CVEs. We use Amazon EC2 platform for our RedHat 6 server. Thanks for
your help!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message