Upgrade OpenSSL version used by apache without recompiling the server but just mod_ssl

apache-2.2mod-sslopenssl

I have an Apache server on a Unix machine:

Apache/2.2.29 (Unix) OpenSSL/0.9.8zg

I would like to upgrade the OpenSSL version to 1.0.2, which is the version currently installed on my system:

machine:/ user$ openssl version
OpenSSL 1.0.2d 9 Jul 2015

Can I do that without recompiling the whole server? Do I have to recompile mod_ssl only as it is loaded inside httpd.conf with LoadModule?:

LoadModule ssl_module modules/mod_ssl.so

How can I do that?

Best Answer

The mod_ssl.so library is dynamically linked to OpenSSL:

$ ldd mod_ssl.so | egrep 'lib(ssl|crypto)'
    libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f23f7209000)
    libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f23f6e26000)

As long as your upgrade of OpenSSL does not change the path to the library, all you need to do is upgrade OpenSSL, and then restart Apache so that the new OpenSSL library is loaded. The last time that OpenSSL changed the library paths was in 1.0.0, I believe, so if you are updating from 1.0.0 or later, it should be fine. If you are upgrading from an older version (e.g. 0.9.8), you will need to rebuild mod_ssl after rebuilding OpenSSL.

Related Solutions

Compiling Apache mod_ssl for different target hardware (hardware capability unsupported SSE2 error)

Here are the steps that I have done to successfully build and install the Apache httpd-2.4.10 and OpenSSL openssl-1.0.1j on Solaris 10.

Download following software
openssl-1.0.1j.tar.gz
httpd-2.4.10.tar.gz
apr-1.5.1.tar.gz
apr-util-1.5.4.tar.gz
pcre-8.36.tar.gz
Verify Make and CC
By default gcc is at /usr/sfw/bin/gcc and make is at /usr/ccs/bin/make

Include following in the PATH
usr/local/ssl/bin:/usr/sfw/bin:/usr/local/bin:/usr/ccs/bin

Include following in the LD_LIBRARY_PATH
/usr/local/lib:/usr/local/ssl/lib
Build and install openssl-1.0.1j
Unzip and un-tar openssl-1.0.1j.tar.gz to /usr/local/openssl-1.0.1j
Execute following commands in order. The shared parameter is very important so that it can be linked with httpd-2.4.10 build for SSL enabling.
```
$ cd /usr/local/openssl-1.0.1j
$ ./config shared
$ make
$ make test
$ make install
```
By default it installs openssl at /usr/local/ssl
Install pcre-8.36 Unzip and un-tar pcre-8.36.tar.gz to /usr/local/ pcre-8.36

Execute following commands in order
```
$ cd /usr/local/ pcre-8.36
$ ./configure 
$ make
$ make install
```
By default, make install installs the package's commands under /usr/local/bin, include files under /usr/local/include, etc.
Build and install httpd-2.4.10

Unzip and un-tar httpd-2.4.10.tar.gz to /usr/local/httpd-2.4.10

Unzip and un-tar apr-1.5.1.tar.gz to /usr/local/httpd-2.4.10/srclib
Rename /usr/local/apr-1.5.1 to /usr/local/apr

Unzip and un-tar apr-util-1.5.4.tar.gz to /usr/local/httpd-2.4.10/srclib
Rename /usr/local/apr-util to /usr/local/apr-util

Execute following commands in order
```
$ ./configure --prefix=/usr/local/apache2 --with-included-apr --enable-so –enable-ssl=shared --with-ssl=/usr/local/ssl
$ make
$ make install
```
It installs it at /usr/local/apache2

The installation is complete. To enable SSL and Proxy, update /usr/local/apache2/conf/httpd.conf with uncommentting following lines

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

Now you can work on httpd-ssl.conf as you usually do to complete your configuration

Apache eats up too much ram per child

From Apache 2.2.15 Changelog there is memory leaks fix in 2.2.15 but if you top output is after apache start it's really huge from my point of view.
Did you try a worker config ?
Could you add the output of ldd tool on you httpd binary ?

Best Answer

Related Solutions

Compiling Apache mod_ssl for different target hardware (hardware capability unsupported SSE2 error)

Apache eats up too much ram per child

Related Topic