OpenSSL Upgrade – How to Upgrade OpenSSL for Apache 2.2.29

apache-2.2opensslUbuntu

I am running a 10.04LTE server where I do want to upgrade openssl for apache.

Therefore I downloaded openssl 1.0.2c and apache 2.2.29 and compiled both. The server is starting, but is using the old ssl version:

curl --head http://localhost
HTTP/1.1 200 OK
Date: Mon, 22 Jun 2015 06:00:06 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8k
Last-Modified: Sun, 18 Mar 2012 19:56:07 GMT

However, Openssl is installed in new version:

/usr/local/ssl/bin/openssl version
OpenSSL 1.0.2c 12 Jun 2015

While the original version stayes in place:

openssl version
OpenSSL 0.9.8k 25 Mar 2009

I compiled apache with:

./configure --with-included-apr --prefix=/usr/local/apache2 --enable-so     
--enable-rewrite --with-ssl=/usr/local/ssl --enable-ssl=shared
--enable-deflate --enable-expires --enable-headers

Apache did not start before I included:

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

According to the mod ssl website this is only available for apache 1.x

Not sure what is going wrong here. Thank you for any help!

Best Answer

The problem is that your Apache installation is unable to link the shared libraries of your new OpenSSL installation. Run the command ldd /usr/local/apache/modules/mod_ssl.so (with the apporpriate path to your mod_ssl.so). You'll see that mod_ssl.so is not linking to the libraries in /usr/local/ssl/lib

You have a couple options to fix the problem:

Option #1 - Link in the libraries:

Open /etc/ld.so.conf.d/local.conf for editing and add the following line: /usr/local/openssl/lib

Re-compile Apache (remember to make clean) and it should work.

If that doesn't work. You could also try specifying LDFLAGS directly with your configure command:

LDFLAGS=-L/usr/local/ssl/lib \ ./configure --with-included-apr --prefix=/usr/local/apache2 --enable-so     
--enable-rewrite --with-ssl=/usr/local/ssl --enable-ssl=shared
--enable-deflate --enable-expires --enable-headers

Option #2 - Upgrade the system OpenSSL:

Re-install OpenSSL with the config line ./config --prefix=/usr --openssldir=/usr/local/openssl shared

When the prefix is not specified in your config line, the OpenSSL installer will default to /usr/local/ssl.

Quick install instructions:

cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
tar -zxf openssl-1.0.2*
cd openssl-1.0.2*
./config --prefix=/usr --openssldir=/usr/local/openssl shared
make
make test
make install

Related Solutions

Linux – Apache gzip configuration

Here's an ideal .htaccess that both compresses and sets sutiable expire headers.

# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 1 seconds"
  ExpiresByType image/x-icon "access plus 2592000 seconds"
  ExpiresByType image/jpeg "access plus 2592000 seconds"
  ExpiresByType image/png "access plus 2592000 seconds"
  ExpiresByType image/gif "access plus 2592000 seconds"
  ExpiresByType application/x-shockwave-flash "access plus 2592000 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 216000 seconds"
  ExpiresByType application/x-javascript "access plus 216000 seconds"
  ExpiresByType text/html "access plus 600 seconds"
  ExpiresByType application/xhtml+xml "access plus 600 seconds"
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\\.(ico|jpe?g|png|gif|swf)$">
    Header set Cache-Control "max-age=2592000, public"
  </FilesMatch>
  <FilesMatch "\\.(css)$">
    Header set Cache-Control "max-age=604800, public"
  </FilesMatch>
  <FilesMatch "\\.(js)$">
    Header set Cache-Control "max-age=216000, private"
  </FilesMatch>
  <FilesMatch "\\.(x?html?|php)$">
    Header set Cache-Control "max-age=600, private, must-revalidate"
  </FilesMatch>
</IfModule>

<IfModule mod_headers.c>
  Header unset ETag
</IfModule>
FileETag None

<IfModule mod_headers.c>
  Header unset Last-Modified
</IfModule>

The following article covers what it does and also talks about compression:

http://www.samaxes.com/2009/01/06/more-on-compressing-and-caching-your-site-with-htaccess/

Hope that helps.

Compiling Apache mod_ssl for different target hardware (hardware capability unsupported SSE2 error)

Here are the steps that I have done to successfully build and install the Apache httpd-2.4.10 and OpenSSL openssl-1.0.1j on Solaris 10.

Download following software
openssl-1.0.1j.tar.gz
httpd-2.4.10.tar.gz
apr-1.5.1.tar.gz
apr-util-1.5.4.tar.gz
pcre-8.36.tar.gz
Verify Make and CC
By default gcc is at /usr/sfw/bin/gcc and make is at /usr/ccs/bin/make

Include following in the PATH
usr/local/ssl/bin:/usr/sfw/bin:/usr/local/bin:/usr/ccs/bin

Include following in the LD_LIBRARY_PATH
/usr/local/lib:/usr/local/ssl/lib
Build and install openssl-1.0.1j
Unzip and un-tar openssl-1.0.1j.tar.gz to /usr/local/openssl-1.0.1j
Execute following commands in order. The shared parameter is very important so that it can be linked with httpd-2.4.10 build for SSL enabling.
```
$ cd /usr/local/openssl-1.0.1j
$ ./config shared
$ make
$ make test
$ make install
```
By default it installs openssl at /usr/local/ssl
Install pcre-8.36 Unzip and un-tar pcre-8.36.tar.gz to /usr/local/ pcre-8.36

Execute following commands in order
```
$ cd /usr/local/ pcre-8.36
$ ./configure 
$ make
$ make install
```
By default, make install installs the package's commands under /usr/local/bin, include files under /usr/local/include, etc.
Build and install httpd-2.4.10

Unzip and un-tar httpd-2.4.10.tar.gz to /usr/local/httpd-2.4.10

Unzip and un-tar apr-1.5.1.tar.gz to /usr/local/httpd-2.4.10/srclib
Rename /usr/local/apr-1.5.1 to /usr/local/apr

Unzip and un-tar apr-util-1.5.4.tar.gz to /usr/local/httpd-2.4.10/srclib
Rename /usr/local/apr-util to /usr/local/apr-util

Execute following commands in order
```
$ ./configure --prefix=/usr/local/apache2 --with-included-apr --enable-so –enable-ssl=shared --with-ssl=/usr/local/ssl
$ make
$ make install
```
It installs it at /usr/local/apache2

The installation is complete. To enable SSL and Proxy, update /usr/local/apache2/conf/httpd.conf with uncommentting following lines

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

Now you can work on httpd-ssl.conf as you usually do to complete your configuration

Best Answer

Related Solutions

Linux – Apache gzip configuration

Compiling Apache mod_ssl for different target hardware (hardware capability unsupported SSE2 error)

Related Topic