httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] Enabling ECDHE ciphers
Date Fri, 18 Apr 2014 18:29:47 GMT
John,

On 4/18/14, 1:16 PM, John Iliffe wrote:
> Further to my previous post, the log reports:
> 
> [Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 
> 140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- 
> resuming normal operations
> [Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 
> 140478837470976] AH00094: Command line: '/usr/apache-2.4.9/bin/httpd'
> 
> BUT the libssl in use, and resulting from installing OpenSSL-1.0.1g, is 
> libssl-1.0.0

My setup is a little different:

$ httpd -v
Server version: Apache/2.2.23 (Unix)
Server built:   Oct 21 2012 20:35:47

$ ldd /usr/sbin/httpd
	linux-gate.so.1 =>  (0xb7761000)
	libm.so.6 => /lib/i686/nosegneg/libm.so.6 (0xb76c3000)
	libpcre.so.0 => /lib/libpcre.so.0 (0xb7668000)
	libselinux.so.1 => /lib/libselinux.so.1 (0xb7649000)
	libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb7625000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0xb75f6000)
	libexpat.so.1 => /lib/libexpat.so.1 (0xb75d0000)
	libdb-4.7.so => /lib/libdb-4.7.so (0xb745e000)
	libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb7430000)
	libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7415000)
	libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb726f000)
	/lib/ld-linux.so.2 (0xb7762000)
	libdl.so.2 => /lib/libdl.so.2 (0xb726a000)
	libuuid.so.1 => /lib/libuuid.so.1 (0xb7265000)
	libfreebl3.so => /lib/libfreebl3.so (0xb7206000)

$ ldd /usr/lib/libapr-1.so.0
	linux-gate.so.1 =>  (0xb779a000)
	libuuid.so.1 => /lib/libuuid.so.1 (0xb7760000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7731000)
	libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7717000)
	libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb7570000)
	/lib/ld-linux.so.2 (0xb779b000)
	libfreebl3.so => /lib/libfreebl3.so (0xb7511000)
	libdl.so.2 => /lib/libdl.so.2 (0xb750c000)

$ ldd /usr/lib/httpd/modules/mod_ssl.so
	linux-gate.so.1 =>  (0xb76f3000)
	libssl.so.10 => /usr/lib/libssl.so.10 (0xb765d000)
	libcrypto.so.10 => /lib/libcrypto.so.10 (0xb74a6000)
	libc.so.6 => /lib/i686/nosegneg/libc.so.6 (0xb7300000)
	libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0xb72c2000)
	libkrb5.so.3 => /lib/libkrb5.so.3 (0xb71f3000)
	libcom_err.so.2 => /lib/libcom_err.so.2 (0xb71ef000)
	libk5crypto.so.3 => /lib/libk5crypto.so.3 (0xb71c4000)
	libresolv.so.2 => /lib/libresolv.so.2 (0xb71ad000)
	libdl.so.2 => /lib/libdl.so.2 (0xb71a8000)
	libz.so.1 => /lib/libz.so.1 (0xb7192000)
	/lib/ld-linux.so.2 (0xb76f4000)
	libkrb5support.so.0 => /lib/libkrb5support.so.0 (0xb7187000)
	libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7183000)
	libpthread.so.0 => /lib/i686/nosegneg/libpthread.so.0 (0xb7169000)
	libselinux.so.1 => /lib/libselinux.so.1 (0xb714a000)

$ ls -l /usr/lib/libssl.so.10
lrwxrwxrwx 1 root root 16 Apr  8 15:38 /usr/lib/libssl.so.10 ->
libssl.so.1.0.1e

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

$ sudo grep "resuming" /var/log/httpd/error_log
[Fri Apr 18 03:21:02 2014] [notice] Apache/2.2.23 (Unix) DAV/2
mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
resuming normal operations

So httpd is dynamically-linked to OpenSSL 1.0.1e (really 1.0.1g, with a
very important patch ;) and yet it reports OpenSSL 1.0.0 on startup.

I don't get it. Both setups (2.2.26 and 2.4.9) have 1.0.1.e and have an
update available to 1.0.1g (I haven't read the changelogs but I'll bet
the difference is mostly the version-bump since everyone is paranoid
about 1.0.1e, now). I'll see if that changes anything.

-chris


Mime
View raw message