Re: httpd and OpenSSL 1.0.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Along the lines of "to be continued" - IMHO httpd should be one of the early adopters of not allowing linkage to versions of openssl that cannot support TLS1.2.

I have built (on AIX) against libreSSL (v2.1.6) with some private additions for AIX (that will be verified and improved upon by openbsd in the soon to be released libreSSL 2.2 version).

Basically, there are only two defines that were 'missing'. One was rather 'obscure' it what it is suppossed to be doing (i.e., looking in the openssl code) - the other was downright 'dangerous" because it permits 'any external so-called enthrophy generator' to be added and used for randomness - because it is, or at least was, part of the openSSL libraries. (the approach of libreSSL was to completely remove it, hence a missing #define).

Again - to be continued. and asap - in a separate post I will post the differences to get it to link against libreSSL (p.s. only mod_ssl needs this afaik).

On Wed, May 27, 2015 at 3:29 PM, Tom Browder <tom.browder@xxxxxxxxx> wrote:
On May 27, 2015 5:26 AM, "Mario Brandt" <jblond@xxxxxxxxx> wrote:
> Hi Tom,
> I saw you on the httpd dev mailing list about that topic. How did you
> manage to build apache against 1.0.2?
>
> Cause if I try that I get in my VM
>
> /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_finish
>
> or on my real server
>
> /opt/apache2/modules/mod_ssl.so: undefined symbol: SSL_CONF_CTX_free
>
> OpenSSL
> ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared no-ssl2
> make depend
> make
> sudo make install
>
>
> apache
> ./configure --prefix=/opt/apache2 --enable-pie
> --enable-mods-shared=all --enable-so --disable-include --enable-lua
> --enable-deflate --enable-headers --enable-expires --enable-ssl=shared
> --enable-mpms-shared=all --with-mpm=event --enable-rewrite
> --with-z=$HOME/apache24/httpd-2.4.12/srclib/zlib --enable-module=ssl
> --enable-fcgid --with-included-apr
> --with-openssl=$HOME/apache24/openssl-1.0.2a
> --enable-ssl-staticlib-deps
>
> with the 1.0.1m it works all fine
> seehttps://github.com/JBlond/debian_build_apache24/blob/master/build_apache.sh
>
>
> Please tell me how you got it working.

Mario, I did get it working, but I did have a bit more effort to make
the latest openssl work.  Taking a quick look at your blog I believe I
can help, but I'll explain my solution in a follow-up message so this
thread is on the public mailing lists.

I feel I must explain that I'm using a Debian 7, 64-bit server.  It
might help if we could know your server info as other architectures
may require more or other tweaks.

Finally, the best I can probably do is show you my configure options
which may conflict with yours.

TO BE CONTINUED....

Best regards,

-Tom

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux