In recent times, I’ve increasingly encountered the need to update OpenSSL to its latest version on servers. Unfortunately, so much relies on the OpenSSL libraries within the server that replacing them entirely isn’t feasible – or if attempted, it could yield disastrous results. I once managed to compile an RPM package of
OpenSSL 1.0.1n for CentOS 6.5, successfully replacing
OpenSSL 1.0.1e. However, post-replacement, both Apache and MySQL daemons stopped working. They continued to search for libraries from
OpenSSL 1.0.1e and couldn’t recognize 1.0.1n.
Recently, the issue caught up with me, and I decided to find a solution to this problem.
As it turns out, clarity often comes when cigarettes are set aside. A non-smoking version of myself realized that there was no need to completely replace the system OpenSSL libraries. Instead, I could compile the latest OpenSSL version using source code, while leaving the system OpenSSL in place. From this base, I could create an Apache module. Fortunately (though I was unhappy at the time), the client also required the latest version of Apache 2.2, which wasn’t available in CentOS 6.7 repositories.
To begin, let’s install a couple of packages:
yum install gcc make zlib-devel wget
Next, I’ll work in the
/usr/local/src folder, though you can choose any location you prefer.
Starting with OpenSSL.
At the time of writing this article, the replacement for
1.0.1q. Let’s download it
Compiling is straightforward. The key is to remember to create a shared library:
./config -prefix=/opt/openssl -openssldir=/opt/openssl/openssl -shared
After this, all components will reside in the
Some people prefer using the prefix
/usr/local. In that case, after compilation, files will be located in the following folders:
You can compile any other OpenSSL package similarly.
For ease of use, you can symlink the binary to a folder within the $PATH environment variable
ln -s /opt/openssl/bin/openssl /usr/bin/openssl101q
To ensure proper functionality, OpenSSL requires the Perl module
yum install perl-WWW-Curl.x86_64
The Apache version is not critical. I needed the latest version from the 2.2 branch.
Download and extract it:
tar xf httpd-2.2.31.tar.gz
The minimal set of options for the configure script will be:
./configure -prefix=/opt/httpd2 -with-included-apr **-enable-ssl=shared -with-ssl=/opt/openssl -enable-ssl-staticlib-deps**
The full set of modules can be compiled using the following combination of configure options. Each module will be represented as a separate
./configure -prefix=/opt/httpd2 -enable-ssl=shared -with-ssl=/opt/openssl -enable-ssl-staticlib-deps=shared -enable-mods-static=ssl=shared -enable-exception-hook=shared -enable-maintainer-mode=shared -enable-pie=shared -enable-authn-dbm=shared -enable-authn-anon=shared -enable-authn-dbd=shared -enable-authn-alias=shared -enable-isapi=shared -enable-file-cache=shared -enable-cache=shared -enable-disk-cache=shared -enable-mem-cache=shared -enable-dbd=shared -enable-reqtimeout=shared -enable-ext-filter=shared -enable-substitute=shared -enable-charset-lite=shared -enable-deflate=shared -enable-log-forensic=shared -enable-logio=shared -enable-mime-magic=shared -enable-cern-meta=shared -enable-expires=shared -enable-headers=shared -enable-ident=shared -enable-usertrack=shared -enable-unique-id=shared -enable-proxy=shared -enable-proxy-connect=shared -enable-proxy-http=shared -enable-proxy-scgi=shared -enable-proxy-ajp=shared -enable-proxy-balancer=shared -enable-optional-hook-export=shared -enable-optional-hook-import=shared -enable-optional-fn-import=shared -enable-optional-fn-export=shared -enable-dav=shared -enable-info=shared -enable-suexec=shared -enable-cgi=shared -enable-cgid=shared -enable-dav-fs=shared -enable-dav-lock=shared -enable-vhost-alias=shared -enable-imagemap=shared -enable-speling=shared -enable-rewrite=shared -enable-so -enable-http
If you encounter the following error, it means
zlib-devel is missing in the system:
mod_deflate... configure: error: mod_deflate has been requested but can not be built due to prerequisite failures
The finishing touch:
Once compilation is complete, files will be in the
/opt/httpd2 directory. To finalize, create an init script and add the service to auto-start.
wget -O /etc/init.d/httpd2 /wp-content/uploads/2015/12/httpd2
chmod +x /etc/init.d/httpd2
chkconfig httpd2 on
During the build, necessary libraries were not copied to the Apache folder, causing the daemon to fail to start. Execute the following:
ln -s /opt/openssl/lib/libcrypto.so.1.0.0 /opt/httpd2/lib/
ln -s /opt/openssl/lib/libssl.so.1.0.0 /opt/httpd2/lib/
Now, let’s start it
ln -s /opt/httpd2/bin/apachectl /usr/sbin/apachectl2
You can use the
telnet utility for verification. While in the server console, run
telnet localhost 80
Once you receive the greeting from the
Apache server, execute:
HEAD / HTTP/1.0
By default, Apache is configured to display all headers, so you should see the following in response:
Following this, you can update both
OpenSSL effortlessly as new versions are released.
The following articles can be useful:
- Securing Weak Points in SSL Apache Settings
- Compiling PHP from Source
- Installing mod_security for Apache
- Installing mod_geoip
- Creating a Secure Web Server
The following resources were used in writing the article: