Tag Archives: rsa

Technical

Apache web server httpd 2.4.3 Build / Compile from source and ECC (Elliptic Curve) support (RHEL or CentOS Linux)

2 Comments

Overview

An earlier post had detailed setting up Apache httpd 2.2.22 with both DSA and RSA support in terms of SSL/TLS authentication. This post will detail setting up Apache httpd 2.4.3 with support for all three ciphers viz: RSA, DSA and ECC. The earlier post also covered the OpenSSL 1.0.x installation that supports all of these ciphers.

Please note that Apache httpd version 2.2.x does not have ECC support built in and it needs to be patched for ECC. However support for ECC is in trunk for the 2.4.x branch and that is the path that we will take.

Building Apache

  1. Download the source.
  2. Build./configure --prefix=/app/install/myinstalls/httpd-2.4 --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl --with-included-apr --with-pcre=/usr/local

    Note that we are utilizing the provided APR (Apache Portable Runtime) and are also pointing to the PCRE deployment. Please see the Prerequisite section below on the reasons for this.If there are any issues, run the following before retrying:

     

Prerequisites:

APR and APR-UTIL

Apache Portable Runtime (APR) and utils might need to be updated or installed if the following error is printed on the screen while configuring Apache httpd which is the first step in the build process. If while running configure, the following is spewed out then you need to download and install APR and APR-UTIL.
configure: error: APR not found. Please read the documentation

 

Steps for APR (1.4.6) and APR-UTIL (1.4.1)  setup:

  1. Download the source into “[Apache HTTPD build location]/srclib”. Extract it and make sure there are no version numbers in the folders.
    From the Apache httpd documentation (http://httpd.apache.org/docs/2.4/install.html):download the latest versions of both APR and APR-Util from Apache APR, unpack them into ./srclib/apr and ./srclib/apr-util (be sure the domain names do not have version numbers; for example, the APR distribution must be under ./srclib/apr/)
  2. Append the following to the Apache httpd configure command:
    --with-included-apr
  3. Continue with the Apache httpd configure process.

PCRE

If during the Apache httpd build process, the following is spewed out then we need to build and install PCRE.
configure: error: pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/

 

Steps for PCRE (8.31) setup:

  1. Download the PCRE source. Save it at any location.
  2. The PCRE build and install process will generate both shared and static libraries and that implies we do not have to explicitly require the dynamic libraries to be built.
  3. The configure command and the build process then is:
    ./configure --prefix=/usr/local
    make
    make install
    If there is this error during the process then it implies that either libtools or GCC C++ compiler is not available:
    make[1]: Entering directory /app/install/myinstalls/pcre/pcre-8.31'CXX pcrecpp.lolibtool: compile: unrecognized option -DHAVE_CONFIG_H'libtool: compile: Try libtool --help' for more information.make[1]: *** [pcrecpp.lo] Error 1make[1]: Leaving directory /app/install/myinstalls/pcre/pcre-8.31'

    make: *** [all] Error 2


    Consequently, you would need to perform the following installs:

Miscellaneous

Errors related to mod_deflate and zlib

If the following error is spewed during configure:

checking for zlib location... not found

 

checking whether to enable mod_deflate... configure: error: mod_deflate has been requested but can not be built due to prerequisite failures

Then this implies that zlib or zlib-devel packages are missing or might need to be forced to be reinstalled. This should take care of installing them:

yum install zlib

 

yum install zlib-devel

Technical

Apache httpd 2.2.22 (or 2.4.x) and OpenSSL 1.x.x (RHEL or CentOS Linux) – build / compile / install Apache Web Server and OpenSSL with ECC (Elliptic Curve Cryptography) Accelarator on Linux (CentOS Red Hat)

Leave a comment

The stack:

  1. Apache httpd (web server) version 2.2.22
  2. OpenSSL 1.x.x. (1.0.1c)
  3. RedHat Enterprise Linux 5.8 (rhel), CentOS or any flavor of Linux.

The goal:

To upgrade the OpenSSL library from 0.8.x to 1.x.x. The reason for the upgrade is the DSA algorithm support required in terms of installing a server certificate that is signed through the use of DSA 2048_256 CA key. Also to build and provide Elliptic Curve Cryptography (ECC) support with optimizations.

Problems:

These are the problems or issues that had to be resolved in order to achieve the goal:

  1. OpenSSL 1.x.x. rpm not available. Therefore we needed to download the source and build it. And then it had to be installed in a location as not to overwrite the existing OpenSSL installation. Please note: the RedHat and CentOS linux (not to mention the other variants of linux) have a huge number of packages (I counted 500) that have dependencies directly or indirectly to OpenSSL. Consequently it is easier not to overwrite the OpenSSL installation with the later version; or remove the older version and install the later version.In a production system, you might want to do an “upgrade” but that is beyond the scope of this document.
  2. Apache 2.2.22 rpm not available (at least in the repository that we access). Consequently we would be downloading the source and building it as well.

Build and install process

This section details the effort and steps undertaken to install both OpenSSL and Apache httpd. We being with OpenSSL, install that and move on to Apache httpd.

OpenSSL

Download the source and save it. Thereafter you have two options:

  1. Do you want to httpd to link statically to the generated static OpenSSL libararies (.a extension)?
  2. or dynamically to a shared library (.so)?

Although I found that the approach in bullet 1 led to the goal being easier to accomplish as there were issues in Apache httpd able to load the correct OpenSSL version with approach 2. This resulted in a lot of debugging to get it to work (the issue turned out to be the LDAP support that I was compiling with). However, in this document I will detail the second approach.

At the shell:

Now we check the installation to confirm the presence of shared libraries (.so files).

The creation of “libcrypto.so” and “libssl.so” is confirmed.

Optional Support for 64-bit optimized implementations of EC (Elliptic Curves)

To add support for 64-bit optimized implementations for NIST-P224, NIST-P256, NIST-P521, provide “enable-ec_nistp_64_gcc_128” on the “configure” command line.

Reference: http://www.apachehaus.com/ossl101.txt

Apache httpd

We set the LD_LIBRARY_PATH to “/usr/local/ssl/lib” so as to make sure that the Apache httpd installation picks up the right libraries viz the right version – the version that has been installed as a result of following the steps in the preceding section.

export LD_LIBRARY_PATH=/usr/local/ssl/lib

We are assuming that a prior Apache Web Server version is not installed on the system. If it is then you could easily remove it if it is package managed.

To install Apache httpd, the following steps are to be followed (the proceeding texts details the arguments to configure):

If there are any errors or need to change the options to configure after having run it once, “make clean” and “make distclean” need to be run as well preceeding running of configure with the latest options.

If you need to statically link OpenSSL with Apache httpd, then one can configure httpd with the following (the following is a configure command to build Apache httpd with SSL support through the the mod_ssl module):

 

./configure --prefix=/app/install/myinstalls/httpd --enable-ssl --enable-rewrite --with-ssl=/usr/local/ssl

 

However, we would be dynamically linking to OpenSSL and therefore the configure command would be:

 

./configure --prefix=/app/install/myinstalls/httpd --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl

 

Please note that I have added support for a whole lot of modules as well. Another interesting piece to note is that ldap support is missing as is not the case with the following configure and options:

 

./configure --prefix=/app/installs/httpd --enable-mods-shared="all ssl authn-dbm authz-dbm auth-digest deflate disk-cache expires headers info isapi ldap cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite unique-id usertrack vhost-alias authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --with-ldap

 

The reason for the missing ldap support is that having built Apache httpd for ldap support as in the above, the error_log has an entry pointing to the earlier version of OpenSSL and not the one that we compiled and installed as in the previous section:

 

[Sat Sep 01 00:48:16 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/[EARLIER VERSION] DAV/2 configured -- resuming normal operations

 

Consequently, to enable the right version to be printed, we had to forsake LDAPsupport and the right version of OpenSSL was associated with the mod_ssl module as in:

 

[Sat Sep 01 00:48:16 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.1c DAV/2 configured -- resuming normal operations

 

So in synopsis, these are the steps to build Apache httpd and dynamically link it with OpenSSL 1.x.x:

 

./configure --prefix=/app/install/myinstalls/httpd --enable-mods-shared="all ssl deflate disk-cache expires headers info cache proxy proxy-ajp proxy-balancer proxy-connect proxy-ftp proxy-http rewrite" --with-ssl=/usr/local/ssl

make

make install

 

If as a result of performing the steps delineated above, an error of this type is spewed:

 

:/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s2_srvr.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with fPIC

 

The implication is that OpenSSL was not compiled to generate shared libraries. Please see the OpenSSL section above for details on how to achieve that.

Thereafter one could test that the mod_ssl module is linking to the correct OpenSSL libraries through the use of the “ldd” command:

Some of the alphanumeric details enclosed in the parenthesis are replace with “…” for brevity.

References:

  1. http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html