Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (nike.apache.org: domain of john.iliffe@iliffe.ca
 designates 206.248.138.118 as permitted sender)
From: John Iliffe <john.iliffe@iliffe.ca>
To: users@httpd.apache.org
Date: Sun, 13 Apr 2014 19:34:02 -0400
User-Agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-2mnb; KDE/4.4.3; x86_64; ; )
References: <201404112140.38183.john.iliffe@iliffe.ca>
 <5348D3D5.3040902@epsm.fr>
In-Reply-To: <5348D3D5.3040902@epsm.fr>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201404131934.02094.john.iliffe@iliffe.ca>
Subject: Re: [users@httpd] mod ssl

Well, after a weekend of absolute frustration I figured this one out. 

Because there is a paucity of documentation and given the importance of 
OpenSSL to the Apache community, I will give a full explanation as to what 
happened and why, and I hope that the Apache maintainers will be interested 
in putting some of this in the docs, even though some parts are really not 
Apache issues.

Here I am assuming that you are not using the O/S supplied OpenSSL version 
and that you are either updating Apache or don't have OpenSSL linked 
dynamically.

First, compile OpenSSL from source.  You need to have AT LEAST the 
following two parameters in the configuration:

--prefix=/path/to/new/OpenSSL
share      <-- without this Apache will not link to OpenSSL

add any other parameters required and make, make test, make install

Now compile Apache as per the instructions in the INSTALL file and for 
OpenSSL you need:

--enable-ssl
--with-ssl=/path/to/new/OpenSSL   <-- this gets you the correct version of 
      OpenSSL, not the one supplied by the O/S

compile and install Apache and edit the configuration file httpd.conf to make 
sure that the LoadModule statement for SSL is not commented out.

Now run httpd -t

you will probably get an error saying can't open libssl.so.x.x.x, no such 
file or directory.  The documentation in the Apache install implies that 
when you use the form with-xxx=(path) that the module will be made 
available (ie the path to the required libraries will be stored in the DSO) 
but this isn't the case.  The library (found in the OpenSSL installation 
directory in the /bin/ subdirectory) must be copied to the SYSTEM's library 
directory.  In my case (Red Hat EL6) this is /usr/lib64/  but other distros 
may put it somewhere else.  Be careful here; don't overlay any library with 
the same name.  I give this warning because the library for OpenSSL-1.0.1g 
is named libssl.so.1.0.0 whereas previous releases named the library the 
same as the release (eg libssl.so.1.0.1e).  

Now run httpd -t again.  You will probably get another error on 
libcrypto.so and have to copy in the library from the OpenSSL installation 
directory.

Now try httpd -t and everything SHOULD work.

Start Apache (apachectl -k start) and HTTPD should come up.  Now do:

head /path to logfiles/error_log

and check that the start message shows that the correct version of OpenSSL 
started.  It is shown on the first line of the new log, just ahead of the 
command line for the starting httpd.

Folks, I know this is somewhat arcane and probably overkill, but I just 
spent two days that I really didn't have chasing things around and a slight 
enhancement of the installation instructions would have been very welcome.

Regards, and thanks to those who replied to my two previous posts.

John


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org