The stack:
- Apache httpd (web server) version 2.2.22
- OpenSSL 1.x.x. (1.0.1c)
- RedHat Enterprise Linux 5.8 (rhel), CentOS or any flavor of Linux.
The goal:
To upgrade the OpenSSL library from 0.8.x to 1.x.x. The reason for the upgrade is the DSA algorithm support required in terms of installing a server certificate that is signed through the use of DSA 2048_256 CA key. Also to build and provide Elliptic Curve Cryptography (ECC) support with optimizations.
Problems:
These are the problems or issues that had to be resolved in order to achieve the goal:
- OpenSSL 1.x.x. rpm not available. Therefore we needed to download the source and build it. And then it had to be installed in a location as not to overwrite the existing OpenSSL installation. Please note: the RedHat and CentOS linux (not to mention the other variants of linux) have a huge number of packages (I counted 500) that have dependencies directly or indirectly to OpenSSL. Consequently it is easier not to overwrite the OpenSSL installation with the later version; or remove the older version and install the later version.In a production system, you might want to do an “upgrade” but that is beyond the scope of this document.
- Apache 2.2.22 rpm not available (at least in the repository that we access). Consequently we would be downloading the source and building it as well.
Build and install process
This section details the effort and steps undertaken to install both OpenSSL and Apache httpd. We being with OpenSSL, install that and move on to Apache httpd.
OpenSSL
Download the source and save it. Thereafter you have two options:
- Do you want to httpd to link statically to the generated static OpenSSL libararies (.a extension)?
- or dynamically to a shared library (.so)?
Although I found that the approach in bullet 1 led to the goal being easier to accomplish as there were issues in Apache httpd able to load the correct OpenSSL version with approach 2. This resulted in a lot of debugging to get it to work (the issue turned out to be the LDAP support that I was compiling with). However, in this document I will detail the second approach.
At the shell:
|
./config shared [to enable shared libraries to be built] make make test make install The openssl will be installed at "/usr/local/ssl" |
Now we check the installation to confirm the presence of shared libraries (.so files).
|
cd /usr/local/ssl/lib ls -1 $ ls -1 engines libcrypto.a libcrypto.so libcrypto.so.1.0.0 libssl.a libssl.so libssl.so.1.0.0 openssl.conf pkgconfig |
The creation of “libcrypto.so” and “libssl.so” is confirmed.
Optional Support for 64-bit optimized implementations of EC (Elliptic Curves)
To add support for 64-bit optimized implementations for NIST-P224, NIST-P256, NIST-P521, provide “enable-ec_nistp_64_gcc_128” on the “configure” command line.
Reference: http://www.apachehaus.com/ossl101.txt
Apache httpd
We set the LD_LIBRARY_PATH to “/usr/local/ssl/lib” so as to make sure that the Apache httpd installation picks up the right libraries viz the right version – the version that has been installed as a result of following the steps in the preceding section.
export LD_LIBRARY_PATH=/usr/local/ssl/lib
We are assuming that a prior Apache Web Server version is not installed on the system. If it is then you could easily remove it if it is package managed.
|
yum info httpd [check to see the version installed] yum remove httpd [need to be root] |
To install Apache httpd, the following steps are to be followed (the proceeding texts details the arguments to configure):
|
configure make make install |
If there are any errors or need to change the options to configure after having run it once, “make clean” and “make distclean” need to be run as well preceeding running of configure with the latest options.
If you need to statically link OpenSSL with Apache httpd, then one can configure httpd with the following (the following is a configure command to build Apache httpd with SSL support through the the mod_ssl module):
./configure --prefix=/app/install/myinstalls/httpd --enable-ssl --enable-rewrite --with-ssl=/usr/local/ssl
However, we would be dynamically linking to OpenSSL and therefore the configure command would be:
./configure --prefix=/app/install/myinstalls/httpd --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl
Please note that I have added support for a whole lot of modules as well. Another interesting piece to note is that ldap support is missing as is not the case with the following configure and options:
./configure --prefix=/app/installs/httpd --enable-mods-shared="all ssl authn-dbm authz-dbm auth-digest deflate disk-cache expires headers info isapi ldap cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite unique-id usertrack vhost-alias authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --with-ldap
The reason for the missing ldap support is that having built Apache httpd for ldap support as in the above, the error_log has an entry pointing to the earlier version of OpenSSL and not the one that we compiled and installed as in the previous section:
[Sat Sep 01 00:48:16 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/[EARLIER VERSION] DAV/2 configured -- resuming normal operations
Consequently, to enable the right version to be printed, we had to forsake LDAPsupport and the right version of OpenSSL was associated with the mod_ssl module as in:
[Sat Sep 01 00:48:16 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2 configured -- resuming normal operations
So in synopsis, these are the steps to build Apache httpd and dynamically link it with OpenSSL 1.x.x:
./configure --prefix=/app/install/myinstalls/httpd --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl
make
make install
If as a result of performing the steps delineated above, an error of this type is spewed:
:/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s2_srvr.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with fPIC
The implication is that OpenSSL was not compiled to generate shared libraries. Please see the OpenSSL section above for details on how to achieve that.
Thereafter one could test that the mod_ssl module is linking to the correct OpenSSL libraries through the use of the “ldd” command:
|
$ ldd mod_ssl.so libdl.so.2 => /lib64/libdl.so.2 (0x00002aebf1975000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (...) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (...) librt.so.1 => /lib64/librt.so.1 (0x00002aebf21a0000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002aebf23a9000) libpthread.so.0 => /lib64/libpthread.so.0 (...) libc.so.6 => /lib64/libc.so.6 (0x00002aebf27fd000) /lib64/ld-linux-x86-64.so.2 (0x00002aebf1520000) |
Some of the alphanumeric details enclosed in the parenthesis are replace with “…” for brevity.
References:
- http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html