httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [users@httpd] mod ssl
Date Sun, 13 Apr 2014 23:44:11 GMT
On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <john.iliffe@iliffe.ca> wrote:

> Well, after a weekend of absolute frustration I figured this one out.
>
> Because there is a paucity of documentation and given the importance of
> OpenSSL to the Apache community, I will give a full explanation as to what
> happened and why, and I hope that the Apache maintainers will be interested
> in putting some of this in the docs, even though some parts are really not
> Apache issues.
>
> Here I am assuming that you are not using the O/S supplied OpenSSL version
> and that you are either updating Apache or don't have OpenSSL linked
> dynamically.
>
> First, compile OpenSSL from source.  You need to have AT LEAST the
> following two parameters in the configuration:
>
> --prefix=/path/to/new/OpenSSL
> share      <-- without this Apache will not link to OpenSSL
>
> add any other parameters required and make, make test, make install
>
> Now compile Apache as per the instructions in the INSTALL file and for
> OpenSSL you need:
>
> --enable-ssl
> --with-ssl=/path/to/new/OpenSSL   <-- this gets you the correct version of
>       OpenSSL, not the one supplied by the O/S
>
> compile and install Apache and edit the configuration file httpd.conf to
> make
> sure that the LoadModule statement for SSL is not commented out.
>
> Now run httpd -t
>
> you will probably get an error saying can't open libssl.so.x.x.x, no such
> file or directory.  The documentation in the Apache install implies that
> when you use the form with-xxx=(path) that the module will be made
> available (ie the path to the required libraries will be stored in the DSO)
> but this isn't the case.  The library (found in the OpenSSL installation
> directory in the /bin/ subdirectory) must be copied to the SYSTEM's library
> directory.


IMO it is best to avoid mixing stuff you built with system directories,
especially when part of the installation is manual and easily forgotten.

You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to
include /path/to/new/OpenSSL/lib so that httpd could find libssl.so.x.x.x.

After that you need to always use "apachectl <args>" instead of "httpd
<args>" so that envvars takes effect.

(I don't know why the custom OpenSSL lib directory doesn't end up in rpath.
 Does anyone know?)


> In my case (Red Hat EL6) this is /usr/lib64/  but other distros
> may put it somewhere else.  Be careful here; don't overlay any library with
> the same name.  I give this warning because the library for OpenSSL-1.0.1g
> is named libssl.so.1.0.0 whereas previous releases named the library the
> same as the release (eg libssl.so.1.0.1e).
>
> Now run httpd -t again.  You will probably get another error on
> libcrypto.so and have to copy in the library from the OpenSSL installation
> directory.
>
> Now try httpd -t and everything SHOULD work.
>
> Start Apache (apachectl -k start) and HTTPD should come up.  Now do:
>
> head /path to logfiles/error_log
>
> and check that the start message shows that the correct version of OpenSSL
> started.  It is shown on the first line of the new log, just ahead of the
> command line for the starting httpd.
>
> Folks, I know this is somewhat arcane and probably overkill, but I just
> spent two days that I really didn't have chasing things around and a slight
> enhancement of the installation instructions would have been very welcome.
>
> Regards, and thanks to those who replied to my two previous posts.
>
> John
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Mime
View raw message