Well, after a weekend of absolute frustration I figured this one out.
Because there is a paucity of documentation and given the importance of
OpenSSL to the Apache community, I will give a full explanation as to what
happened and why, and I hope that the Apache maintainers will be interested
in putting some of this in the docs, even though some parts are really not
Apache issues.
Here I am assuming that you are not using the O/S supplied OpenSSL version
and that you are either updating Apache or don't have OpenSSL linked
dynamically.
First, compile OpenSSL from source. You need to have AT LEAST the
following two parameters in the configuration:
--prefix=/path/to/new/OpenSSL
share <-- without this Apache will not link to OpenSSL
add any other parameters required and make, make test, make install
Now compile Apache as per the instructions in the INSTALL file and for
OpenSSL you need:
--enable-ssl
--with-ssl=/path/to/new/OpenSSL <-- this gets you the correct version of
OpenSSL, not the one supplied by the O/S
compile and install Apache and edit the configuration file httpd.conf to make
sure that the LoadModule statement for SSL is not commented out.
Now run httpd -t
you will probably get an error saying can't open libssl.so.x.x.x, no such
file or directory. The documentation in the Apache install implies that
when you use the form with-xxx=(path) that the module will be made
available (ie the path to the required libraries will be stored in the DSO)
but this isn't the case. The library (found in the OpenSSL installation
directory in the /bin/ subdirectory) must be copied to the SYSTEM's library
directory.
In my case (Red Hat EL6) this is /usr/lib64/ but other distros
may put it somewhere else. Be careful here; don't overlay any library with
the same name. I give this warning because the library for OpenSSL-1.0.1g
is named libssl.so.1.0.0 whereas previous releases named the library the
same as the release (eg libssl.so.1.0.1e).
Now run httpd -t again. You will probably get another error on
libcrypto.so and have to copy in the library from the OpenSSL installation
directory.
Now try httpd -t and everything SHOULD work.
Start Apache (apachectl -k start) and HTTPD should come up. Now do:
head /path to logfiles/error_log
and check that the start message shows that the correct version of OpenSSL
started. It is shown on the first line of the new log, just ahead of the
command line for the starting httpd.
Folks, I know this is somewhat arcane and probably overkill, but I just
spent two days that I really didn't have chasing things around and a slight
enhancement of the installation instructions would have been very welcome.
Regards, and thanks to those who replied to my two previous posts.
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|