I am using a centos7 build box that has openssl 1.0.1e-fips and I use configure command as follows:
./configure --prefix=$INSTALL_DIR \
--enable-ssl \
--enable-so \
--enable-module=so\
--enable-mods-shared=ssl\
--enable-shared=ssl\
it "makes" everything fine and I can see mod_ssl.so in the $INSTALL_DIR but when I deploy this in a centos7 box that has openssl 1.0.2k-fips, I expect this new version to be picked up dynamically but it does not happen?
I see this loaded modules in which I can see ssl_module as shared as well(among others)
apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_event_module (static)
ssl_module (shared)
passenger_module (shared)
apachehmsmodule_module (shared)
and I have my httpd.conf file having this line
LoadModule ssl_module modules/mod_ssl.so
ldd modules/mod_ssl.so
ldd httpd/modules/mod_ssl.so
linux-vdso.so.1 => (0x00007ffeccfa5000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007f7973ecf000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f7973a6d000)
and it is pointing to a link
ls -lrt /lib64/libssl.so.10
lrwxrwxrwx 1 root root 16 Jan 31 2018 /lib64/libssl.so.10 -> libssl.so.1.0.2k
but if I run the query to this box using curl, it still picks up the built openssl version, why is this and how to troubleshoot to get the bottom of it?
curl --head 10.x.x.x:yyy
HTTP/1.1 400 Bad Request
Date: Wed, 08 May 2019 08:59:39 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.1e-fips Phusion_Passenger/5.0.30
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
If I build the same with the new openssl version in the build machine that has new openssl version, then apache comes up fine in the test box with new version.
The idea here is to not compile and build the whole apache server config for every new openssl version that comes up for security reasons.
Am I missing something while "making" please suggest.
|