Thanks for the clarification onthis topic... but any tip how we can cope with httpd linked with openssl 0.9.8x on redhat? Apparently there is a requirement of openssl not to overwrite the default version provided with the OS. How do we specify to httpd the library to take at runtime? How can we check which library is taken by httpd at runtime? Thanks a lot for help, P. > From: sctemme@xxxxxxxxxx > Date: Mon, 22 Feb 2010 17:15:22 -0800 > To: users@xxxxxxxxxxxxxxxx > Subject: Re: How do I pick up correct version of SSL > > > On Feb 21, 2010, at 7:17 PM, John Iliffe wrote: > > > I have just created a new server running Red Hat EL5.4. I decided to > > update the version of Apache to 2.2.14 at the same time. > > > > I compiled with "enable-ssl=<path to openssl>" but the log shows that > > the openssl in use is the default shipped with the operating system. > > How do I get Apache to pick up the proper openssl version? > > Two issues: > > 1) As Igor points out, --with-ssl=/foo/bar/openssl steers the Apache build system to the OpenSSL installed under /foo/bar. The build system will pick up the include and lib subdirectories. If your OpenSSL is 0.9.8x, you may have to set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib before you ./configure to make the test programs pick up the right libraries as opposed to the system copies. > > 2) At runtime, the httpd binary needs to find the libssl.so and libcrypto.so. It seems that on Linux (or in the httpd build system in particular), rpath doesn't work so the path to the libraries is not hardcoded in the binaries. If you compiled against your own OpenSSL 0.9.8x, the runtime will pick up the system copy unless you set and export LD_LIBRARY_PATH=/foo/bar/openssl/lib on the shell that starts the webserver. A couple of LoadFile directives in your config may also help. > > 3) It gets worse. On Red Hat, the C library links against OpenSSL for the Kerberos stuff, and EVERYTHING (including httpd) links against the C library. This means that the system copy of OpenSSL gets loaded when httpd starts, before it loads mod_ssl.so and resolves the dynamic library bits in it. Hence, you are likely to end up pulling in the system OpenSSL, whatever steps from 2) above you might try to make it otherwise. Nor will tearing out your hair help. If your own OpenSSL is not 0.9.8x (but 1.0.0z or 0.9.7y), this should not be a problem. > > Enjoy, > > S. > > > I have a horrible feeling that I have missed something important in the > > config but I have had no success so far in finding it. > > > > Thanks in advance. > > > > John > > > > > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > -- > Sander Temme > sctemme@xxxxxxxxxx > PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF > > > Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now. |