apache 2.4.37 + mod_ssl built as DSO is not dynamcically linking the new openssl version

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Folks,

I need Help in resolving this issue that I am facing.

I am using a centos7 build box that has openssl 1.0.1e-fips and I use configure command as follows:

  ./configure --prefix=$INSTALL_DIR \
            --enable-ssl \
            --enable-so \
            --enable-module=so\
            --enable-mods-shared=ssl\
            --enable-shared=ssl\

it "makes" everything fine and I can see mod_ssl.so in the $INSTALL_DIR but when I deploy this in a centos7 box that has openssl 1.0.2k-fips, I expect this new version to be picked up dynamically but it does not happen?

I see this loaded modules in which I can see ssl_module as shared as well(among others)

apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_event_module (static)
 ssl_module (shared)
 passenger_module (shared)
 apachehmsmodule_module (shared)

and I have my httpd.conf file having this line

LoadModule ssl_module modules/mod_ssl.so

ldd modules/mod_ssl.so

ldd httpd/modules/mod_ssl.so
        linux-vdso.so.1 =>  (0x00007ffeccfa5000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f7973ecf000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f7973a6d000)

and it is pointing to a link

ls -lrt /lib64/libssl.so.10
lrwxrwxrwx 1 root root 16 Jan 31  2018 /lib64/libssl.so.10 -> libssl.so.1.0.2k

but if I run the query to this box using curl, it still picks up the built openssl version, why is this and how to troubleshoot to get the bottom of it?

curl --head 10.x.x.x:yyy
HTTP/1.1 400 Bad Request
Date: Wed, 08 May 2019 08:59:39 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.1e-fips Phusion_Passenger/5.0.30
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1

If I build the same with the new openssl version in the build machine that has new openssl version, then apache comes up fine in the test box with new version.

The idea here is to not compile and build the whole apache server config for every new openssl version that comes up for security reasons. 

Am I missing something while "making" please suggest.



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux