Upgrade openssl/mod_ssl on Mac OS X Server

apache-2.2mac-osx-servermod-sslopenssl

Context: I'm trying to set up an SVN server on a Mac OS X Server 10.6.7, and I'm running into the “SSL error parse tlsext” issue. I've tried changing the SSLProtocol option as described, but then I just get the "bad decompression" error.

The other solution seems to be to upgrade openssl to 0.9.8m or greater.

I can download and compile openssl just fine, but I don't know the best way to hook it into the default installation of Apache and mod_ssl. I'd like to stick with the built-in Apple software as much as possible, and preferably not overwrite their version of openssl either.

How do I update mod_ssl to use a new version of openssl on Mac OS X Server 10.6?

Best Answer

As CocoaBean has pointed out you will need to rebuild mod_ssl linking against the OpenSSL library you want to use rather than the one that comes with OS X. You would want to grab a copy of the Apache source code, as used in OS X (or the latest from httpd.apache.org) and then rebuild it in accordance with the Apache Foundation's installation instructions, paying special attention to how you specify which SSL library you want to link against.

Ideally you should only need to rebuild mod_ssl.so, but my suggestion would be to build and install a separate Apache instance to avoid any problems during OS X updates that could result in your modifications getting blown away.

Related Solutions

Compiling Apache mod_ssl for different target hardware (hardware capability unsupported SSE2 error)

Here are the steps that I have done to successfully build and install the Apache httpd-2.4.10 and OpenSSL openssl-1.0.1j on Solaris 10.

Download following software
openssl-1.0.1j.tar.gz
httpd-2.4.10.tar.gz
apr-1.5.1.tar.gz
apr-util-1.5.4.tar.gz
pcre-8.36.tar.gz
Verify Make and CC
By default gcc is at /usr/sfw/bin/gcc and make is at /usr/ccs/bin/make

Include following in the PATH
usr/local/ssl/bin:/usr/sfw/bin:/usr/local/bin:/usr/ccs/bin

Include following in the LD_LIBRARY_PATH
/usr/local/lib:/usr/local/ssl/lib
Build and install openssl-1.0.1j
Unzip and un-tar openssl-1.0.1j.tar.gz to /usr/local/openssl-1.0.1j
Execute following commands in order. The shared parameter is very important so that it can be linked with httpd-2.4.10 build for SSL enabling.
```
$ cd /usr/local/openssl-1.0.1j
$ ./config shared
$ make
$ make test
$ make install
```
By default it installs openssl at /usr/local/ssl
Install pcre-8.36 Unzip and un-tar pcre-8.36.tar.gz to /usr/local/ pcre-8.36

Execute following commands in order
```
$ cd /usr/local/ pcre-8.36
$ ./configure 
$ make
$ make install
```
By default, make install installs the package's commands under /usr/local/bin, include files under /usr/local/include, etc.
Build and install httpd-2.4.10

Unzip and un-tar httpd-2.4.10.tar.gz to /usr/local/httpd-2.4.10

Unzip and un-tar apr-1.5.1.tar.gz to /usr/local/httpd-2.4.10/srclib
Rename /usr/local/apr-1.5.1 to /usr/local/apr

Unzip and un-tar apr-util-1.5.4.tar.gz to /usr/local/httpd-2.4.10/srclib
Rename /usr/local/apr-util to /usr/local/apr-util

Execute following commands in order
```
$ ./configure --prefix=/usr/local/apache2 --with-included-apr --enable-so –enable-ssl=shared --with-ssl=/usr/local/ssl
$ make
$ make install
```
It installs it at /usr/local/apache2

The installation is complete. To enable SSL and Proxy, update /usr/local/apache2/conf/httpd.conf with uncommentting following lines

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

Now you can work on httpd-ssl.conf as you usually do to complete your configuration

SSLVerifyClient require in .htaccess on shared host—CVE-2009-3555 mitigation woes

Q1: Yeah, correct.

Q2: No, I don't think it'll work.

Config-wise, is there any reason SSLCACertificateFile couldn't go in a broader config section like a VirtualHost block?

But, that aside, client certificates are probably a lost cause on this system, assuming that GoDaddy has actually patched to disable renegotiation (with them, I won't assume). I don't know of any way around the requirement that client certificate authentication requires a renegotiation.

Best Answer

Related Solutions

Compiling Apache mod_ssl for different target hardware (hardware capability unsupported SSE2 error)

SSLVerifyClient require in .htaccess on shared host—CVE-2009-3555 mitigation woes

Related Topic