how to upgrade openssl for apache 2.2.29 – still using old 0.9.8 version

I am running a 10.04LTE server where I do want to upgrade openssl for apache.

Therefore I downloaded openssl 1.0.2c and apache 2.2.29 and compiled both. The server is starting, but is using the old ssl version:

curl --head http://localhost
HTTP/1.1 200 OK
Date: Mon, 22 Jun 2015 06:00:06 GMT
Server: Apache/2.2.29 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8k
Last-Modified: Sun, 18 Mar 2012 19:56:07 GMT

However, Openssl is installed in new version:

/usr/local/ssl/bin/openssl version
OpenSSL 1.0.2c 12 Jun 2015

While the original version stayes in place:

openssl version
OpenSSL 0.9.8k 25 Mar 2009

I compiled apache with:

./configure --with-included-apr --prefix=/usr/local/apache2 --enable-so     
--enable-rewrite --with-ssl=/usr/local/ssl --enable-ssl=shared
--enable-deflate --enable-expires --enable-headers 

Apache did not start before I included:

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

According to the mod ssl website this is only available for apache 1.x

Not sure what is going wrong here. Thank you for any help!

1 Answer
1

The problem is that your Apache installation is unable to link the shared libraries of your new OpenSSL installation. Run the command ldd /usr/local/apache/modules/mod_ssl.so (with the apporpriate path to your mod_ssl.so). You’ll see that mod_ssl.so is not linking to the libraries in /usr/local/ssl/lib

You have a couple options to fix the problem:

Option #1 – Link in the libraries:

Open /etc/ld.so.conf.d/local.conf for editing and add the following line: /usr/local/openssl/lib

Re-compile Apache (remember to make clean) and it should work.

If that doesn’t work. You could also try specifying LDFLAGS directly with your configure command:

LDFLAGS=-L/usr/local/ssl/lib \ ./configure --with-included-apr --prefix=/usr/local/apache2 --enable-so     
--enable-rewrite --with-ssl=/usr/local/ssl --enable-ssl=shared
--enable-deflate --enable-expires --enable-headers

Option #2 – Upgrade the system OpenSSL:

Re-install OpenSSL with the config line ./config --prefix=/usr --openssldir=/usr/local/openssl shared

When the prefix is not specified in your config line, the OpenSSL installer will default to /usr/local/ssl.

Quick install instructions:

cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
tar -zxf openssl-1.0.2*
cd openssl-1.0.2*
./config --prefix=/usr --openssldir=/usr/local/openssl shared
make
make test
make install

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *