Tag Archives: cryptography

OpenSSL v 1.0.2: building / compiling from source (Linux / CentOS / Red Hat)

As a precursor of installing a web server such as Apache (http version 2.4.10) and to avail of certain features as in able to configure the certificate chain on a certificate basis, we need to update to this version.

An earlier post detailed the steps to compile the OpenSSL v1.0.1 series and this one would cover the next version. The steps remain the same however the earlier post is more detailed.

  1. Run “config”
  2. Run “make”
  3. Run “make test”
  4. Run “make install”

A little more granularity:


$ ./config shared --prefix=/installs/openssl-1.0.2

Here: I have specified the installation folder to be explicit. You could point it to any other location or go with the default “/usr/local/ssl”. Note that if you would like to compile in the ECC Optimizations (ECC accelerator) refer to my earlier post.


$ make
$ make test
$ make install

You might face build issues as in “gcc” not being available or an incorrect version. Try “yum update gcc”.

The final step is to set the environment as in:


export LD_LIBRARY_PATH=/installs/openssl-1.0.2/lib:$LD_LIBRARY_PATH
export PATH=/installs/openssl-1.0.2/bin:$PATH

Apache httpd 2.2.22 (or 2.4.x) and OpenSSL 1.x.x (RHEL or CentOS Linux) – build / compile / install Apache Web Server and OpenSSL with ECC (Elliptic Curve Cryptography) Accelarator on Linux (CentOS Red Hat)

The stack:

  1. Apache httpd (web server) version 2.2.22
  2. OpenSSL 1.x.x. (1.0.1c)
  3. RedHat Enterprise Linux 5.8 (rhel), CentOS or any flavor of Linux.

The goal:

To upgrade the OpenSSL library from 0.8.x to 1.x.x. The reason for the upgrade is the DSA algorithm support required in terms of installing a server certificate that is signed through the use of DSA 2048_256 CA key. Also to build and provide Elliptic Curve Cryptography (ECC) support with optimizations.

Problems:

These are the problems or issues that had to be resolved in order to achieve the goal:

  1. OpenSSL 1.x.x. rpm not available. Therefore we needed to download the source and build it. And then it had to be installed in a location as not to overwrite the existing OpenSSL installation. Please note: the RedHat and CentOS linux (not to mention the other variants of linux) have a huge number of packages (I counted 500) that have dependencies directly or indirectly to OpenSSL. Consequently it is easier not to overwrite the OpenSSL installation with the later version; or remove the older version and install the later version.In a production system, you might want to do an “upgrade” but that is beyond the scope of this document.
  2. Apache 2.2.22 rpm not available (at least in the repository that we access). Consequently we would be downloading the source and building it as well.

Build and install process

This section details the effort and steps undertaken to install both OpenSSL and Apache httpd. We being with OpenSSL, install that and move on to Apache httpd.

OpenSSL

Download the source and save it. Thereafter you have two options:

  1. Do you want to httpd to link statically to the generated static OpenSSL libararies (.a extension)?
  2. or dynamically to a shared library (.so)?

Although I found that the approach in bullet 1 led to the goal being easier to accomplish as there were issues in Apache httpd able to load the correct OpenSSL version with approach 2. This resulted in a lot of debugging to get it to work (the issue turned out to be the LDAP support that I was compiling with). However, in this document I will detail the second approach.

At the shell:

Now we check the installation to confirm the presence of shared libraries (.so files).

The creation of “libcrypto.so” and “libssl.so” is confirmed.

Optional Support for 64-bit optimized implementations of EC (Elliptic Curves)

To add support for 64-bit optimized implementations for NIST-P224, NIST-P256, NIST-P521, provide “enable-ec_nistp_64_gcc_128″ on the “configure” command line.

Reference: http://www.apachehaus.com/ossl101.txt

Apache httpd

We set the LD_LIBRARY_PATH to “/usr/local/ssl/lib” so as to make sure that the Apache httpd installation picks up the right libraries viz the right version – the version that has been installed as a result of following the steps in the preceding section.

export LD_LIBRARY_PATH=/usr/local/ssl/lib

We are assuming that a prior Apache Web Server version is not installed on the system. If it is then you could easily remove it if it is package managed.

To install Apache httpd, the following steps are to be followed (the proceeding texts details the arguments to configure):

If there are any errors or need to change the options to configure after having run it once, “make clean” and “make distclean” need to be run as well preceeding running of configure with the latest options.

If you need to statically link OpenSSL with Apache httpd, then one can configure httpd with the following (the following is a configure command to build Apache httpd with SSL support through the the mod_ssl module):

 

./configure --prefix=/app/install/myinstalls/httpd --enable-ssl --enable-rewrite --with-ssl=/usr/local/ssl

 

However, we would be dynamically linking to OpenSSL and therefore the configure command would be:

 

./configure --prefix=/app/install/myinstalls/httpd --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl

 

Please note that I have added support for a whole lot of modules as well. Another interesting piece to note is that ldap support is missing as is not the case with the following configure and options:

 

./configure --prefix=/app/installs/httpd --enable-mods-shared="all ssl authn-dbm authz-dbm auth-digest deflate disk-cache expires headers info isapi ldap cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite unique-id usertrack vhost-alias authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --with-ldap

 

The reason for the missing ldap support is that having built Apache httpd for ldap support as in the above, the error_log has an entry pointing to the earlier version of OpenSSL and not the one that we compiled and installed as in the previous section:

 

[Sat Sep 01 00:48:16 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/[EARLIER VERSION] DAV/2 configured -- resuming normal operations

 

Consequently, to enable the right version to be printed, we had to forsake LDAPsupport and the right version of OpenSSL was associated with the mod_ssl module as in:

 

[Sat Sep 01 00:48:16 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2 configured -- resuming normal operations

 

So in synopsis, these are the steps to build Apache httpd and dynamically link it with OpenSSL 1.x.x:

 

./configure --prefix=/app/install/myinstalls/httpd --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl

make

make install

 

If as a result of performing the steps delineated above, an error of this type is spewed:

 

:/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s2_srvr.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with fPIC

 

The implication is that OpenSSL was not compiled to generate shared libraries. Please see the OpenSSL section above for details on how to achieve that.

Thereafter one could test that the mod_ssl module is linking to the correct OpenSSL libraries through the use of the “ldd” command:

Some of the alphanumeric details enclosed in the parenthesis are replace with “…” for brevity.

References:

  1. http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html