Upgrading Apache 2.2.31 OpenSSL 1.0.1q on CentOS 6.7

In recent times, I’ve increasingly encountered the need to update OpenSSL to its latest version on servers. Unfortunately, so much relies on the OpenSSL libraries within the server that replacing them entirely isn’t feasible – or if attempted, it could yield disastrous results. I once managed to compile an RPM package of OpenSSL 1.0.1n for CentOS 6.5, successfully replacing OpenSSL 1.0.1e. However, post-replacement, both Apache and MySQL daemons stopped working. They continued to search for libraries from OpenSSL 1.0.1e and couldn’t recognize 1.0.1n.

Recently, the issue caught up with me, and I decided to find a solution to this problem.

As it turns out, clarity often comes when cigarettes are set aside. A non-smoking version of myself realized that there was no need to completely replace the system OpenSSL libraries. Instead, I could compile the latest OpenSSL version using source code, while leaving the system OpenSSL in place. From this base, I could create an Apache module. Fortunately (though I was unhappy at the time), the client also required the latest version of Apache 2.2, which wasn’t available in CentOS 6.7 repositories.

To begin, let’s install a couple of packages:

yum install gcc make zlib-devel wget

Next, I’ll work in the /usr/local/src folder, though you can choose any location you prefer.

Starting with OpenSSL.

At the time of writing this article, the replacement for 1.0.1e was 1.0.1q. Let’s download it

wget https://www.openssl.org/source/openssl-1.0.1q.tar.gz

Compiling is straightforward. The key is to remember to create a shared library:

./config -prefix=/opt/openssl -openssldir=/opt/openssl/openssl -shared  
make  
make install

After this, all components will reside in the /opt/openssl directory.

Some people prefer using the prefix /usr/local. In that case, after compilation, files will be located in the following folders:

• /usr/local/bin
• /usr/local/include
• /usr/local/lib
• /usr/local/openssl

You can compile any other OpenSSL package similarly.

For ease of use, you can symlink the binary to a folder within the $PATH environment variable

ln -s /opt/openssl/bin/openssl /usr/bin/openssl101q

To ensure proper functionality, OpenSSL requires the Perl module WWW::Curl::Easy:

yum install perl-WWW-Curl.x86_64

Apache

The Apache version is not critical. I needed the latest version from the 2.2 branch.

Download and extract it:

wget http://ftp.ps.pl/pub/apache/httpd/httpd-2.2.31.tar.gz  
tar xf httpd-2.2.31.tar.gz  
cd httpd-2.2.31

The minimal set of options for the configure script will be:

./configure -prefix=/opt/httpd2 -with-included-apr **-enable-ssl=shared -with-ssl=/opt/openssl -enable-ssl-staticlib-deps**

The full set of modules can be compiled using the following combination of configure options. Each module will be represented as a separate .so file:

./configure -prefix=/opt/httpd2 -enable-ssl=shared -with-ssl=/opt/openssl -enable-ssl-staticlib-deps=shared -enable-mods-static=ssl=shared -enable-exception-hook=shared -enable-maintainer-mode=shared -enable-pie=shared -enable-authn-dbm=shared -enable-authn-anon=shared -enable-authn-dbd=shared -enable-authn-alias=shared -enable-isapi=shared -enable-file-cache=shared -enable-cache=shared -enable-disk-cache=shared -enable-mem-cache=shared -enable-dbd=shared -enable-reqtimeout=shared -enable-ext-filter=shared -enable-substitute=shared -enable-charset-lite=shared -enable-deflate=shared -enable-log-forensic=shared -enable-logio=shared -enable-mime-magic=shared -enable-cern-meta=shared -enable-expires=shared -enable-headers=shared -enable-ident=shared -enable-usertrack=shared -enable-unique-id=shared -enable-proxy=shared -enable-proxy-connect=shared -enable-proxy-http=shared -enable-proxy-scgi=shared -enable-proxy-ajp=shared -enable-proxy-balancer=shared -enable-optional-hook-export=shared -enable-optional-hook-import=shared -enable-optional-fn-import=shared -enable-optional-fn-export=shared -enable-dav=shared -enable-info=shared -enable-suexec=shared -enable-cgi=shared -enable-cgid=shared -enable-dav-fs=shared -enable-dav-lock=shared -enable-vhost-alias=shared -enable-imagemap=shared -enable-speling=shared -enable-rewrite=shared -enable-so -enable-http

If you encounter the following error, it means zlib-devel is missing in the system:

mod_deflate... configure: error: mod_deflate has been requested but can not be built due to prerequisite failures

The finishing touch:

make  
make install

Once compilation is complete, files will be in the /opt/httpd2 directory. To finalize, create an init script and add the service to auto-start.

wget -O /etc/init.d/httpd2 /wp-content/uploads/2015/12/httpd2  
chmod +x /etc/init.d/httpd2  
chkconfig httpd2 on

During the build, necessary libraries were not copied to the Apache folder, causing the daemon to fail to start. Execute the following:

ln -s /opt/openssl/lib/libcrypto.so.1.0.0 /opt/httpd2/lib/  
ln -s /opt/openssl/lib/libssl.so.1.0.0 /opt/httpd2/lib/

Now, let’s start it

/etc/init.d/httpd2 start

Link apachectl:

ln -s /opt/httpd2/bin/apachectl /usr/sbin/apachectl2

You can use the telnet utility for verification. While in the server console, run

telnet localhost 80

Once you receive the greeting from the Apache server, execute:

HEAD / HTTP/1.0

By default, Apache is configured to display all headers, so you should see the following in response:

Conclusion

Following this, you can update both Apache and OpenSSL effortlessly as new versions are released.

The following articles can be useful:

• Securing Weak Points in SSL Apache Settings
• Compiling PHP from Source
• Installing mod_security for Apache
• Installing mod_geoip
• Creating a Secure Web Server

The following resources were used in writing the article:

• blog.ivanristic.com
• dan.drydog.com