Re: [users@httpd] mod ssl
On Sunday 13 April 2014 21:32:12 Nick Kew wrote: > On 14 Apr 2014, at 00:34, John Iliffe wrote: > > Here I am assuming that you are not using the O/S supplied OpenSSL > > version and that you are either updating Apache or don't have OpenSSL > > linked dynamically. > Nick: I'm not trying to be a pain in the ass here, I really do like Apache and it works well. I wasn't using the OpenSSL supplied by Red Hat as the maintenance contract for it has expired, so basically, I'm on my own. I think you might find that many small companies like ours are in the same position. Someone suggested exactly what you do here but it didn't work, and not knowing whether OpenSSL was dynamically linked (it is) when the update didn't work I made the wrong assumption. (not dynamically linked, which was wrong). My only defence is that I'm not a web specialist, or even very knowledgeable about it. > Aren't those assumptions alone sufficiently unusual (even idiosyncratic) > to take you beyond the scope of what Apache docs might reasonably be > expected to cover? > > For the regular user, you would just replace your vulnerable openssl > version in-situ. If it was O/S-supplied then use the relevant package > manager; if it's your own build then upgrade that. Either way, apache > is unaffected unless you did rather more than just replace a bleeding > heart OpenSSL version with a newly-patched one. > > Probably the most useful advice in your post, for those who might have > > vulnerable OpenSSL versions floating around, is how to check: > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > > > head /path to logfiles/error_log > > > > and check that the start message shows that the correct version of > > OpenSSL started. It is shown on the first line of the new log, just > > ahead of the command line for the starting httpd. > Good question. I would suggest in the SSL/TLS How-to at the need of the Basic Configuration Example section. Something to the effect that on first start up one should check that the version of OpenSSL that starts is the correct one. That also takes care of the situation where there is an error in the Apache configuration to make that is not caught. > I guess a note to that effect in our docs could indeed benefit the > worried. Where do you think would be a good place for such a note? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod ssl
On Apr 14, 2014, at 01:34 , John Iliffe wrote: > The library (found in the OpenSSL installation > directory in the /bin/ subdirectory) must be copied to the SYSTEM's library > directory. Don't do that. Re-Build apache with LDFLAGS=-Wl,-rpath,/path/to/new/openssl You can check if the RPATH is set in your mod_ssl e.g. with objdump -x mod_sssl.so |grep RPATH rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod ssl
On 14 Apr 2014, at 00:34, John Iliffe wrote: > Here I am assuming that you are not using the O/S supplied OpenSSL version > and that you are either updating Apache or don't have OpenSSL linked > dynamically. Aren't those assumptions alone sufficiently unusual (even idiosyncratic) to take you beyond the scope of what Apache docs might reasonably be expected to cover? For the regular user, you would just replace your vulnerable openssl version in-situ. If it was O/S-supplied then use the relevant package manager; if it's your own build then upgrade that. Either way, apache is unaffected unless you did rather more than just replace a bleeding heart OpenSSL version with a newly-patched one. Probably the most useful advice in your post, for those who might have vulnerable OpenSSL versions floating around, is how to check: > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > head /path to logfiles/error_log > > and check that the start message shows that the correct version of OpenSSL > started. It is shown on the first line of the new log, just ahead of the > command line for the starting httpd. I guess a note to that effect in our docs could indeed benefit the worried. Where do you think would be a good place for such a note? -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod ssl
On Sun, Apr 13, 2014 at 8:01 PM, John Iliffe wrote: > On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote: > > On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe > wrote: > > > Well, after a weekend of absolute frustration I figured this one out. > > > > > > Because there is a paucity of documentation and given the importance > > > of OpenSSL to the Apache community, I will give a full explanation as > > > to what happened and why, and I hope that the Apache maintainers will > > > be interested in putting some of this in the docs, even though some > > > parts are really not Apache issues. > > > > > > Here I am assuming that you are not using the O/S supplied OpenSSL > > > version and that you are either updating Apache or don't have OpenSSL > > > linked dynamically. > > > > > > First, compile OpenSSL from source. You need to have AT LEAST the > > > following two parameters in the configuration: > > > > > > --prefix=/path/to/new/OpenSSL > > > share <-- without this Apache will not link to OpenSSL > > > > > > add any other parameters required and make, make test, make install > > > > > > Now compile Apache as per the instructions in the INSTALL file and for > > > OpenSSL you need: > > > > > > --enable-ssl > > > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct > > > version of > > > > > > OpenSSL, not the one supplied by the O/S > > > > > > compile and install Apache and edit the configuration file httpd.conf > > > to make > > > sure that the LoadModule statement for SSL is not commented out. > > > > > > Now run httpd -t > > > > > > you will probably get an error saying can't open libssl.so.x.x.x, no > > > such file or directory. The documentation in the Apache install > > > implies that when you use the form with-xxx=(path) that the module > > > will be made available (ie the path to the required libraries will be > > > stored in the DSO) but this isn't the case. The library (found in > > > the OpenSSL installation directory in the /bin/ subdirectory) must be > > > copied to the SYSTEM's library directory. > > > I completely agree Jeff. If I was a bit more of an Apache specialist I > would have done what you suggest as it is obvious once it is pointed out! > My immediate problem was to get our e-commerce web site back on the Inet > and what I did resolved the problem. Maybe your suggestion would be best > added to the docs? > I'll think about this some more. Docs are fine, but I don't know why it doesn't "just work", as when you install apr to some arbitrary place and it gets picked up by httpd automatically. > > IMO it is best to avoid mixing stuff you built with system directories, > > especially when part of the installation is manual and easily forgotten. > > > > You could edit /bin/envvars and update LD_LIBRARY_PATH to > > include /path/to/new/OpenSSL/lib so that httpd could find > > libssl.so.x.x.x. > > > > After that you need to always use "apachectl " instead of "httpd > > " so that envvars takes effect. > > > > (I don't know why the custom OpenSSL lib directory doesn't end up in > > rpath. Does anyone know?) > > > > > In my case (Red Hat EL6) this is /usr/lib64/ but other distros > > > may put it somewhere else. Be careful here; don't overlay any library > > > with the same name. I give this warning because the library for > > > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases > > > named the library the same as the release (eg libssl.so.1.0.1e). > > > > > > Now run httpd -t again. You will probably get another error on > > > libcrypto.so and have to copy in the library from the OpenSSL > > > installation directory. > > > > > > Now try httpd -t and everything SHOULD work. > > > > > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > > > > > head /path to logfiles/error_log > > > > > > and check that the start message shows that the correct version of > > > OpenSSL started. It is shown on the first line of the new log, just > > > ahead of the command line for the starting httpd. > > > > > > Folks, I know this is somewhat arcane and probably overkill, but I > > > just spent two days that I really didn't have chasing things around > > > and a slight enhancement of the installation instructions would have > > > been very welcome. > > > > > > Regards, and thanks to those who replied to my two previous posts. > > > > > > John > > > > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > > For additional commands, e-mail: users-h...@httpd.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [users@httpd] mod ssl
On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote: > On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe wrote: > > Well, after a weekend of absolute frustration I figured this one out. > > > > Because there is a paucity of documentation and given the importance > > of OpenSSL to the Apache community, I will give a full explanation as > > to what happened and why, and I hope that the Apache maintainers will > > be interested in putting some of this in the docs, even though some > > parts are really not Apache issues. > > > > Here I am assuming that you are not using the O/S supplied OpenSSL > > version and that you are either updating Apache or don't have OpenSSL > > linked dynamically. > > > > First, compile OpenSSL from source. You need to have AT LEAST the > > following two parameters in the configuration: > > > > --prefix=/path/to/new/OpenSSL > > share <-- without this Apache will not link to OpenSSL > > > > add any other parameters required and make, make test, make install > > > > Now compile Apache as per the instructions in the INSTALL file and for > > OpenSSL you need: > > > > --enable-ssl > > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct > > version of > > > > OpenSSL, not the one supplied by the O/S > > > > compile and install Apache and edit the configuration file httpd.conf > > to make > > sure that the LoadModule statement for SSL is not commented out. > > > > Now run httpd -t > > > > you will probably get an error saying can't open libssl.so.x.x.x, no > > such file or directory. The documentation in the Apache install > > implies that when you use the form with-xxx=(path) that the module > > will be made available (ie the path to the required libraries will be > > stored in the DSO) but this isn't the case. The library (found in > > the OpenSSL installation directory in the /bin/ subdirectory) must be > > copied to the SYSTEM's library directory. > I completely agree Jeff. If I was a bit more of an Apache specialist I would have done what you suggest as it is obvious once it is pointed out! My immediate problem was to get our e-commerce web site back on the Inet and what I did resolved the problem. Maybe your suggestion would be best added to the docs? > IMO it is best to avoid mixing stuff you built with system directories, > especially when part of the installation is manual and easily forgotten. > > You could edit /bin/envvars and update LD_LIBRARY_PATH to > include /path/to/new/OpenSSL/lib so that httpd could find > libssl.so.x.x.x. > > After that you need to always use "apachectl " instead of "httpd > " so that envvars takes effect. > > (I don't know why the custom OpenSSL lib directory doesn't end up in > rpath. Does anyone know?) > > > In my case (Red Hat EL6) this is /usr/lib64/ but other distros > > may put it somewhere else. Be careful here; don't overlay any library > > with the same name. I give this warning because the library for > > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases > > named the library the same as the release (eg libssl.so.1.0.1e). > > > > Now run httpd -t again. You will probably get another error on > > libcrypto.so and have to copy in the library from the OpenSSL > > installation directory. > > > > Now try httpd -t and everything SHOULD work. > > > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > > > head /path to logfiles/error_log > > > > and check that the start message shows that the correct version of > > OpenSSL started. It is shown on the first line of the new log, just > > ahead of the command line for the starting httpd. > > > > Folks, I know this is somewhat arcane and probably overkill, but I > > just spent two days that I really didn't have chasing things around > > and a slight enhancement of the installation instructions would have > > been very welcome. > > > > Regards, and thanks to those who replied to my two previous posts. > > > > John > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod ssl
On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe wrote: > Well, after a weekend of absolute frustration I figured this one out. > > Because there is a paucity of documentation and given the importance of > OpenSSL to the Apache community, I will give a full explanation as to what > happened and why, and I hope that the Apache maintainers will be interested > in putting some of this in the docs, even though some parts are really not > Apache issues. > > Here I am assuming that you are not using the O/S supplied OpenSSL version > and that you are either updating Apache or don't have OpenSSL linked > dynamically. > > First, compile OpenSSL from source. You need to have AT LEAST the > following two parameters in the configuration: > > --prefix=/path/to/new/OpenSSL > share <-- without this Apache will not link to OpenSSL > > add any other parameters required and make, make test, make install > > Now compile Apache as per the instructions in the INSTALL file and for > OpenSSL you need: > > --enable-ssl > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct version of > OpenSSL, not the one supplied by the O/S > > compile and install Apache and edit the configuration file httpd.conf to > make > sure that the LoadModule statement for SSL is not commented out. > > Now run httpd -t > > you will probably get an error saying can't open libssl.so.x.x.x, no such > file or directory. The documentation in the Apache install implies that > when you use the form with-xxx=(path) that the module will be made > available (ie the path to the required libraries will be stored in the DSO) > but this isn't the case. The library (found in the OpenSSL installation > directory in the /bin/ subdirectory) must be copied to the SYSTEM's library > directory. IMO it is best to avoid mixing stuff you built with system directories, especially when part of the installation is manual and easily forgotten. You could edit /bin/envvars and update LD_LIBRARY_PATH to include /path/to/new/OpenSSL/lib so that httpd could find libssl.so.x.x.x. After that you need to always use "apachectl " instead of "httpd " so that envvars takes effect. (I don't know why the custom OpenSSL lib directory doesn't end up in rpath. Does anyone know?) > In my case (Red Hat EL6) this is /usr/lib64/ but other distros > may put it somewhere else. Be careful here; don't overlay any library with > the same name. I give this warning because the library for OpenSSL-1.0.1g > is named libssl.so.1.0.0 whereas previous releases named the library the > same as the release (eg libssl.so.1.0.1e). > > Now run httpd -t again. You will probably get another error on > libcrypto.so and have to copy in the library from the OpenSSL installation > directory. > > Now try httpd -t and everything SHOULD work. > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > head /path to logfiles/error_log > > and check that the start message shows that the correct version of OpenSSL > started. It is shown on the first line of the new log, just ahead of the > command line for the starting httpd. > > Folks, I know this is somewhat arcane and probably overkill, but I just > spent two days that I really didn't have chasing things around and a slight > enhancement of the installation instructions would have been very welcome. > > Regards, and thanks to those who replied to my two previous posts. > > John > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [users@httpd] mod ssl
Well, after a weekend of absolute frustration I figured this one out. Because there is a paucity of documentation and given the importance of OpenSSL to the Apache community, I will give a full explanation as to what happened and why, and I hope that the Apache maintainers will be interested in putting some of this in the docs, even though some parts are really not Apache issues. Here I am assuming that you are not using the O/S supplied OpenSSL version and that you are either updating Apache or don't have OpenSSL linked dynamically. First, compile OpenSSL from source. You need to have AT LEAST the following two parameters in the configuration: --prefix=/path/to/new/OpenSSL share <-- without this Apache will not link to OpenSSL add any other parameters required and make, make test, make install Now compile Apache as per the instructions in the INSTALL file and for OpenSSL you need: --enable-ssl --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct version of OpenSSL, not the one supplied by the O/S compile and install Apache and edit the configuration file httpd.conf to make sure that the LoadModule statement for SSL is not commented out. Now run httpd -t you will probably get an error saying can't open libssl.so.x.x.x, no such file or directory. The documentation in the Apache install implies that when you use the form with-xxx=(path) that the module will be made available (ie the path to the required libraries will be stored in the DSO) but this isn't the case. The library (found in the OpenSSL installation directory in the /bin/ subdirectory) must be copied to the SYSTEM's library directory. In my case (Red Hat EL6) this is /usr/lib64/ but other distros may put it somewhere else. Be careful here; don't overlay any library with the same name. I give this warning because the library for OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases named the library the same as the release (eg libssl.so.1.0.1e). Now run httpd -t again. You will probably get another error on libcrypto.so and have to copy in the library from the OpenSSL installation directory. Now try httpd -t and everything SHOULD work. Start Apache (apachectl -k start) and HTTPD should come up. Now do: head /path to logfiles/error_log and check that the start message shows that the correct version of OpenSSL started. It is shown on the first line of the new log, just ahead of the command line for the starting httpd. Folks, I know this is somewhat arcane and probably overkill, but I just spent two days that I really didn't have chasing things around and a slight enhancement of the installation instructions would have been very welcome. Regards, and thanks to those who replied to my two previous posts. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] mod ssl
Thanks Didier. I ran ldd and openssl/libssl doesn't show up in either the version of Apache that is running (2.4.3) or the new version 2.4.9. I checked the error log for the last restart as suggested by Katherine Manfre on this list and the running version reports: OpenSSL/1.0.0-FIPS. The ldd for the same version is: ldd /usr/apache-2.4.3/bin/httpd linux-vdso.so.1 => (0x7fff23a0) libpcre.so.1 => /usr/pcre-8.32/lib/libpcre.so.1 (0x7fc2320a) libaprutil-1.so.0 => /usr/apache-2.4.3/lib/libaprutil-1.so.0 (0x7fc231e78000) libexpat.so.0 => /usr/apache-2.4.3/lib/libexpat.so.0 (0x7fc231c5) libapr-1.so.0 => /usr/apache-2.4.3/lib/libapr-1.so.0 (0x7fc231a2) librt.so.1 => /lib64/librt.so.1 (0x0037c960) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0037d7a0) libpthread.so.0 => /lib64/libpthread.so.0 (0x0037c8a0) libc.so.6 => /lib64/libc.so.6 (0x0037c820) /lib64/ld-linux-x86-64.so.2 (0x0037c7e0) libfreebl3.so => /lib64/libfreebl3.so (0x0037d8c0) libdl.so.2 => /lib64/libdl.so.2 (0x0037c8e0) and the ldd for the new version 2.4.9 (that can't start) is about the same: linux-vdso.so.1 => (0x7fff92ac8000) libpcre.so.1 => /usr/pcre-8.32/lib/libpcre.so.1 (0x7ffd4be7) libaprutil-1.so.0 => /usr/apache-2.4.9/lib/libaprutil-1.so.0 (0x7ffd4bc48000) libexpat.so.0 => /usr/apache-2.4.9/lib/libexpat.so.0 (0x7ffd4ba2) libapr-1.so.0 => /usr/apache-2.4.9/lib/libapr-1.so.0 (0x7ffd4b7e8000) librt.so.1 => /lib64/librt.so.1 (0x0037c960) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0037d7a0) libpthread.so.0 => /lib64/libpthread.so.0 (0x0037c8a0) libc.so.6 => /lib64/libc.so.6 (0x0037c820) /lib64/ld-linux-x86-64.so.2 (0x0037c7e0) libfreebl3.so => /lib64/libfreebl3.so (0x0037d8c0) libdl.so.2 => /lib64/libdl.so.2 (0x0037c8e0) I looked at your config file for make and obviously I left out quite a bit from last time. I used the previous config.nice file as input and obviously it doesn't show everything that was used in the previous compile. I'll recompile again and see if it runs. Maybe I was just too sleepy last night! Thanks again. John On Saturday 12 April 2014 01:49:09 Didier Spaier wrote: > On 12/04/2014 03:40, John Iliffe wrote: > > I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. > > So far everything looks good EXCEPT that Apache won't start. After > > making a number of tweaks to the configuration, I'm stuck. The error > > from httpd -t is: > > > > httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf: > > Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot > > open shared object file: No such file or directory > > > > I compiled with: > > > > "./configure" \ > > "--prefix=/usr/apache-2.4.9" \ > > "--with-included-apr" \ > > "--with-pcre=/usr/pcre-8.32" \ > > "--with-ssl=/usr/openssl-1.0.1g" \ > > > > and the modules/ directory has the following partial listing: > > > > -rwxr-xr-x 1 root root35192 Apr 10 20:23 mod_socache_memcache.so > > -rwxr-xr-x 1 root root66857 Apr 10 20:23 mod_socache_shmcb.so > > -rwxr-xr-x 1 root root36732 Apr 10 20:23 mod_speling.so > > -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so > > -rwxr-xr-x 1 root root61870 Apr 10 20:23 mod_status.so > > -rwxr-xr-x 1 root root42570 Apr 10 20:23 mod_substitute.so > > > > Note that mod_ssl.so is third from the bottom. I'm assuming that > > there is some problem with the way I compiled openssl but it doesn't > > save a copy of the command line. Here is what I "think" I used: > > > > ./configure --prefix=/usr/openssl-1.0.1g share > > > > which worked OK when I compiled Apache. > > > > I'm sure if I weren't in such an all-fired hurry I could figure this > > out but I would ask anyone who has already done this update to help > > me out here. > > > > Thanks in advance. > > > > John > > Well, if you installed opensl-1.0.1g and have openssl dynamically linked > by httpd, I don't see the need to re-compile http, rebooting should be > enough I think (someone correct if I'm wrong). > > Here (Slackware-14.0), oepnssl upgraded to openssl-1.0.1g but httpd nor > recompiled since): > > bash-4.2$ ldd /usr/sbin/httpd > linux-gate.so.1 (0xe000) > libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb75fb000) > libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb75d2000) > libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb75aa000) > libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0xb74fb000) > libdb-4.4.so => /lib/libdb-4.4.so (0xb73dd000) > libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb7393000) > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7379000) > l
Re: [users@httpd] mod ssl
On 12/04/2014 03:40, John Iliffe wrote: I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So far everything looks good EXCEPT that Apache won't start. After making a number of tweaks to the configuration, I'm stuck. The error from httpd -t is: httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open shared object file: No such file or directory I compiled with: "./configure" \ "--prefix=/usr/apache-2.4.9" \ "--with-included-apr" \ "--with-pcre=/usr/pcre-8.32" \ "--with-ssl=/usr/openssl-1.0.1g" \ and the modules/ directory has the following partial listing: -rwxr-xr-x 1 root root35192 Apr 10 20:23 mod_socache_memcache.so -rwxr-xr-x 1 root root66857 Apr 10 20:23 mod_socache_shmcb.so -rwxr-xr-x 1 root root36732 Apr 10 20:23 mod_speling.so -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so -rwxr-xr-x 1 root root61870 Apr 10 20:23 mod_status.so -rwxr-xr-x 1 root root42570 Apr 10 20:23 mod_substitute.so Note that mod_ssl.so is third from the bottom. I'm assuming that there is some problem with the way I compiled openssl but it doesn't save a copy of the command line. Here is what I "think" I used: ./configure --prefix=/usr/openssl-1.0.1g share which worked OK when I compiled Apache. I'm sure if I weren't in such an all-fired hurry I could figure this out but I would ask anyone who has already done this update to help me out here. Thanks in advance. John Well, if you installed opensl-1.0.1g and have openssl dynamically linked by httpd, I don't see the need to re-compile http, rebooting should be enough I think (someone correct if I'm wrong). Here (Slackware-14.0), oepnssl upgraded to openssl-1.0.1g but httpd nor recompiled since): bash-4.2$ ldd /usr/sbin/httpd linux-gate.so.1 (0xe000) libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb75fb000) libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb75d2000) libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb75aa000) libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0xb74fb000) libdb-4.4.so => /lib/libdb-4.4.so (0xb73dd000) libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb7393000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7379000) libssl.so.1 => /lib/libssl.so.1 (0xb7316000) libcrypto.so.1 => /lib/libcrypto.so.1 (0xb715f000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb715) libresolv.so.2 => /lib/libresolv.so.2 (0xb7137000) libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb7104000) libuuid.so.1 => /lib/libuuid.so.1 (0xb710) librt.so.1 => /lib/librt.so.1 (0xb70f7000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb70c4000) libpthread.so.0 => /lib/libpthread.so.0 (0xb70aa000) libdl.so.2 => /lib/libdl.so.2 (0xb70a4000) libc.so.6 => /lib/libc.so.6 (0xb6f1f000) /lib/ld-linux.so.2 (0xb76ef000) bash-4.2$ openssl version OpenSSL 1.0.1g 7 Apr 2014 bash-4.2$ I just upgraded openssl. But this message > Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open > shared object file: No such file or directory doesn't say that there was a problem in compiling https, only that you miss the shared library libssl.so.1.0.0. Did you check that it is where expected? FYI, the configure command in Slackware 14.0 is: ./configure \ --enable-layout=Slackware-FHS \ --with-apr=/usr \ --with-apr-util=/usr \ --enable-mods-shared=all \ --enable-so \ --enable-mpms-shared=all \ --enable-pie \ --enable-cgi \ --with-pcre \ --enable-ssl \ --enable-rewrite \ --enable-vhost-alias \ --enable-proxy \ --enable-proxy-http \ --enable-proxy-ftp \ --enable-cache \ --enable-mem-cache \ --enable-file-cache \ --enable-disk-cache \ --enable-dav \ --enable-ldap \ --enable-authnz-ldap \ --enable-authn-anon \ --enable-authn-alias \ --build=$ARCH-slackware-linux || exit 1 HTH, Didier PS I don't see the need for this: > ./configure --prefix=/usr/openssl-1.0.1g share I'd just keep *only* the good version of openssl. In any case ldd /path/to/httpd should confirm you that there is a problem linking to openssl (maybe it's not in /usr/openssl-1.0.1g/lib ?) - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod ssl
I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So far everything looks good EXCEPT that Apache won't start. After making a number of tweaks to the configuration, I'm stuck. The error from httpd -t is: httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf: Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open shared object file: No such file or directory I compiled with: "./configure" \ "--prefix=/usr/apache-2.4.9" \ "--with-included-apr" \ "--with-pcre=/usr/pcre-8.32" \ "--with-ssl=/usr/openssl-1.0.1g" \ and the modules/ directory has the following partial listing: -rwxr-xr-x 1 root root35192 Apr 10 20:23 mod_socache_memcache.so -rwxr-xr-x 1 root root66857 Apr 10 20:23 mod_socache_shmcb.so -rwxr-xr-x 1 root root36732 Apr 10 20:23 mod_speling.so -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so -rwxr-xr-x 1 root root61870 Apr 10 20:23 mod_status.so -rwxr-xr-x 1 root root42570 Apr 10 20:23 mod_substitute.so Note that mod_ssl.so is third from the bottom. I'm assuming that there is some problem with the way I compiled openssl but it doesn't save a copy of the command line. Here is what I "think" I used: ./configure --prefix=/usr/openssl-1.0.1g share which worked OK when I compiled Apache. I'm sure if I weren't in such an all-fired hurry I could figure this out but I would ask anyone who has already done this update to help me out here. Thanks in advance. John - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org