httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Felt <mamf...@gmail.com>
Subject [users@httpd] Re: httpd and OpenSSL 1.0.2
Date Fri, 05 Jun 2015 12:15:33 GMT
Along the lines of "to be continued" - IMHO httpd should be one of the
early adopters of not allowing linkage to versions of openssl that cannot
support TLS1.2.

I have built (on AIX) against libreSSL (v2.1.6) with some private additions
for AIX (that will be verified and improved upon by openbsd in the soon to
be released libreSSL 2.2 version).

Basically, there are only two defines that were 'missing'. One was rather
'obscure' it what it is suppossed to be doing (i.e., looking in the openssl
code) - the other was downright 'dangerous" because it permits 'any
external so-called enthrophy generator' to be added and used for randomness
- because it is, or at least was, part of the openSSL libraries. (the
approach of libreSSL was to completely remove it, hence a missing #define).

Again - to be continued. and asap - in a separate post I will post the
differences to get it to link against libreSSL (p.s. only mod_ssl needs
this afaik).

On Wed, May 27, 2015 at 3:29 PM, Tom Browder <tom.browder@gmail.com> wrote:

> On May 27, 2015 5:26 AM, "Mario Brandt" <jblond@gmail.com> wrote:
> > Hi Tom,
> > I saw you on the httpd dev mailing list about that topic. How did you
> > manage to build apache against 1.0.2?
> >
> > Cause if I try that I get in my VM
> >
> > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_finish
> >
> > or on my real server
> >
> > /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_free
> >
> > OpenSSL
> > ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared no-ssl2
> > make depend
> > make
> > sudo make install
> >
> >
> > apache
> > ./configure --prefix=/opt/apache2 --enable-pie
> > --enable-mods-shared=all --enable-so --disable-include --enable-lua
> > --enable-deflate --enable-headers --enable-expires --enable-ssl=shared
> > --enable-mpms-shared=all --with-mpm=event --enable-rewrite
> > --with-z=$HOME/apache24/httpd-2.4.12/srclib/zlib --enable-module=ssl
> > --enable-fcgid --with-included-apr
> > --with-openssl=$HOME/apache24/openssl-1.0.2a
> > --enable-ssl-staticlib-deps
> >
> > with the 1.0.1m it works all fine
> > seehttps://
> github.com/JBlond/debian_build_apache24/blob/master/build_apache.sh
> >
> >
> > Please tell me how you got it working.
>
> Mario, I did get it working, but I did have a bit more effort to make
> the latest openssl work.  Taking a quick look at your blog I believe I
> can help, but I'll explain my solution in a follow-up message so this
> thread is on the public mailing lists.
>
> I feel I must explain that I'm using a Debian 7, 64-bit server.  It
> might help if we could know your server info as other architectures
> may require more or other tweaks.
>
> Finally, the best I can probably do is show you my configure options
> which may conflict with yours.
>
> TO BE CONTINUED....
>
> Best regards,
>
> -Tom
>

Mime
View raw message