Re: How do I pick up correct version of SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Feb 21, 2010, at 7:17 PM, John Iliffe wrote:

> I have just created a new server running Red Hat EL5.4.  I decided to
> update the version of Apache to 2.2.14 at the same time.
> 
> I compiled with "enable-ssl=<path to openssl>" but the log shows that
> the openssl in use is the default shipped with the operating system.
> How do I get Apache to pick up the proper openssl version?

Two issues:

1) As Igor points out, --with-ssl=/foo/bar/openssl steers the Apache build system to the OpenSSL installed under /foo/bar.  The build system will pick up the include and lib subdirectories.  If your OpenSSL is 0.9.8x, you may have to set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib before you ./configure to make the test programs pick up the right libraries as opposed to the system copies.  

2) At runtime, the httpd binary needs to find the libssl.so and libcrypto.so.  It seems that on Linux (or in the httpd build system in particular), rpath doesn't work so the path to the libraries is not hardcoded in the binaries.  If you compiled against your own OpenSSL 0.9.8x, the runtime will pick up the system copy unless you set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib on the shell that starts the webserver.  A couple of LoadFile directives in your config may also help. 

3) It gets worse.  On Red Hat, the C library links against OpenSSL for the Kerberos stuff, and EVERYTHING (including httpd) links against the C library.  This means that the system copy of OpenSSL gets loaded when httpd starts, before it loads mod_ssl.so and resolves the dynamic library bits in it.  Hence, you are likely to end up pulling in the system OpenSSL, whatever steps from 2) above you might try to make it otherwise.  Nor will tearing out your hair help.  If your own OpenSSL is not 0.9.8x (but 1.0.0z or 0.9.7y), this should not be a problem.  

Enjoy, 

S.

> I have a horrible feeling that I have missed something important in the
> config but I have had no success so far in finding it.
> 
> Thanks in advance.
> 
> John
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 



-- 
Sander Temme
sctemme@xxxxxxxxxx
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux