On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <john.ili...@iliffe.ca> wrote:
> Well, after a weekend of absolute frustration I figured this one out. > > Because there is a paucity of documentation and given the importance of > OpenSSL to the Apache community, I will give a full explanation as to what > happened and why, and I hope that the Apache maintainers will be interested > in putting some of this in the docs, even though some parts are really not > Apache issues. > > Here I am assuming that you are not using the O/S supplied OpenSSL version > and that you are either updating Apache or don't have OpenSSL linked > dynamically. > > First, compile OpenSSL from source. You need to have AT LEAST the > following two parameters in the configuration: > > --prefix=/path/to/new/OpenSSL > share <-- without this Apache will not link to OpenSSL > > add any other parameters required and make, make test, make install > > Now compile Apache as per the instructions in the INSTALL file and for > OpenSSL you need: > > --enable-ssl > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct version of > OpenSSL, not the one supplied by the O/S > > compile and install Apache and edit the configuration file httpd.conf to > make > sure that the LoadModule statement for SSL is not commented out. > > Now run httpd -t > > you will probably get an error saying can't open libssl.so.x.x.x, no such > file or directory. The documentation in the Apache install implies that > when you use the form with-xxx=(path) that the module will be made > available (ie the path to the required libraries will be stored in the DSO) > but this isn't the case. The library (found in the OpenSSL installation > directory in the /bin/ subdirectory) must be copied to the SYSTEM's library > directory. IMO it is best to avoid mixing stuff you built with system directories, especially when part of the installation is manual and easily forgotten. You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to include /path/to/new/OpenSSL/lib so that httpd could find libssl.so.x.x.x. After that you need to always use "apachectl <args>" instead of "httpd <args>" so that envvars takes effect. (I don't know why the custom OpenSSL lib directory doesn't end up in rpath. Does anyone know?) > In my case (Red Hat EL6) this is /usr/lib64/ but other distros > may put it somewhere else. Be careful here; don't overlay any library with > the same name. I give this warning because the library for OpenSSL-1.0.1g > is named libssl.so.1.0.0 whereas previous releases named the library the > same as the release (eg libssl.so.1.0.1e). > > Now run httpd -t again. You will probably get another error on > libcrypto.so and have to copy in the library from the OpenSSL installation > directory. > > Now try httpd -t and everything SHOULD work. > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > head /path to logfiles/error_log > > and check that the start message shows that the correct version of OpenSSL > started. It is shown on the first line of the new log, just ahead of the > command line for the starting httpd. > > Folks, I know this is somewhat arcane and probably overkill, but I just > spent two days that I really didn't have chasing things around and a slight > enhancement of the installation instructions would have been very welcome. > > Regards, and thanks to those who replied to my two previous posts. > > John > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
