You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Tom Browder <to...@gmail.com> on 2014/02/20 01:24:19 UTC
SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
<sh...@opensslfoundation.com> wrote:
> On 19/02/2014 23:54, Tom Browder wrote:
>> On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder <to...@gmail.com> wrote:
>>> On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
>>> <sh...@opensslfoundation.com> wrote:
>>>> On 19/02/2014 15:08, Tom Browder wrote:
>>>>> I configured httpd-2.4.7 successfully to use mod_ssl:
>>>>>
>>>>> ...
>>>> That could be user error. The path /usr/local/ssl/fips-2.0 is the default
>>>> install location of the FIPS module which isn't a complete version of OpenSSL.
>>>> It should point to the location the FIPS capable OpenSSL is installed instead.
>>>
>>> Hm, I thought I tried that but I'll recheck and configure with:
>>>
>>> --with-ssl=/usr/local/ssl
>>
>> Bummer!
>>
>> When I did that, I get this:
>>
>> checking for OpenSSL... checking for user-provided OpenSSL base
..
>> checking for OpenSSL version >= 0.9.7... OK
> Well something is wrong there with it indicating OpenSSL version 0.9.7. If you
> intend to use the FIPS 2.0 module you must use OpenSSL 1.0.1.
That doesn't mean its using 0.9.7. As a matter of fact my Debian
installed OpenSSL is 1.0.1e, and Im trying to use 1.0.1.f FIPS.
But now I get a failure to build Apache:
/usr/local/ssl/lib/libcrypto.a(c_zlib.o): In function `bio_zlib_free':
c_zlib.c:(.text+0x4d): undefined reference to `inflateEnd'
c_zlib.c:(.text+0x69): undefined reference to `deflateEnd'
/usr/local/ssl/lib/libcrypto.a(c_zlib.o): In function `bio_zlib_ctrl':
c_zlib.c:(.text+0x24e): undefined reference to `deflate'
c_zlib.c:(.text+0x338): undefined reference to `zError'
So should I just kiss off Open SSL FIPS and Apache?
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 20/02/2014 00:24, Tom Browder wrote:
> On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
> <sh...@opensslfoundation.com> wrote:
>> On 19/02/2014 23:54, Tom Browder wrote:
>>> On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder <to...@gmail.com> wrote:
>>>> On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
>>>> <sh...@opensslfoundation.com> wrote:
>>>>> On 19/02/2014 15:08, Tom Browder wrote:
>>>>>> I configured httpd-2.4.7 successfully to use mod_ssl:
>>>>>>
>>>>>> ...
>>>>> That could be user error. The path /usr/local/ssl/fips-2.0 is the default
>>>>> install location of the FIPS module which isn't a complete version of OpenSSL.
>>>>> It should point to the location the FIPS capable OpenSSL is installed instead.
>>>>
>>>> Hm, I thought I tried that but I'll recheck and configure with:
>>>>
>>>> --with-ssl=/usr/local/ssl
>>>
>>> Bummer!
>>>
>>> When I did that, I get this:
>>>
>>> checking for OpenSSL... checking for user-provided OpenSSL base
> ..
>>> checking for OpenSSL version >= 0.9.7... OK
>
>> Well something is wrong there with it indicating OpenSSL version 0.9.7. If you
>> intend to use the FIPS 2.0 module you must use OpenSSL 1.0.1.
>
> That doesn't mean its using 0.9.7. As a matter of fact my Debian
> installed OpenSSL is 1.0.1e, and Im trying to use 1.0.1.f FIPS.
>
> But now I get a failure to build Apache:
>
> /usr/local/ssl/lib/libcrypto.a(c_zlib.o): In function `bio_zlib_free':
> c_zlib.c:(.text+0x4d): undefined reference to `inflateEnd'
> c_zlib.c:(.text+0x69): undefined reference to `deflateEnd'
> /usr/local/ssl/lib/libcrypto.a(c_zlib.o): In function `bio_zlib_ctrl':
> c_zlib.c:(.text+0x24e): undefined reference to `deflate'
> c_zlib.c:(.text+0x338): undefined reference to `zError'
>
> So should I just kiss off Open SSL FIPS and Apache?
>
What options did you use to configure OpenSSL? That looks like it has been
configured to use a static link to zlib. Do you need zlib support?
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 20/02/2014 02:21, Tom Browder wrote:
> On Wed, Feb 19, 2014 at 9:11 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
>> You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file
>> to include -lz in Libs: (just after -ldl), and then re-./configure
>
> I'll first see if I can get a good SSL to work. So far no build
> problems after I took out the zlib configure options with
> openssl/openssl-fips. I'll try my shiny new apache 2.4.7 and SSL
> tomorrow morning.
>
> The zlib is not that important to me at the moment--it just seemed a
> reasonable option when I first started this venture.
>
Ah... there was a recent fix for this which hasn't yet appeared in an official
OpenSSL release. This means that configuring OpenSSL with "zlib" wont create
correct *.pc files. The "zlib-dynamic" option (which links to zlib at runtime in
OpenSSL) should be OK though.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Wed, Feb 19, 2014 at 9:11 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file
> to include -lz in Libs: (just after -ldl), and then re-./configure
I'll first see if I can get a good SSL to work. So far no build
problems after I took out the zlib configure options with
openssl/openssl-fips. I'll try my shiny new apache 2.4.7 and SSL
tomorrow morning.
The zlib is not that important to me at the moment--it just seemed a
reasonable option when I first started this venture.
Thanks for the advice.
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Thu, Feb 20, 2014 at 1:04 PM, Tom Browder <to...@gmail.com> wrote:
> On Thu, Feb 20, 2014 at 11:45 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
>> Output from ldd /user/local/bin/httpd ?
My system is up and running and serving https using the system openssl library.
I would like to use my compiled version of openssl if anyone can tell
me how to do it.
I'll probably come back to this issue later but I have to move on for
the moment.
Thanks so much for your patience!
Best regards,
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Thu, Feb 20, 2014 at 11:45 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> Output from ldd /user/local/bin/httpd ?
linux-gate.so.1 => (0xb77a9000)
libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0xb7782000)
libaprutil-1.so.0 => /usr/local/apache2/lib/libaprutil-1.so.0 (0xb775c000)
libexpat.so.1 => /lib/i386-linux-gnu/libexpat.so.1 (0xb7733000)
libapr-1.so.0 => /usr/local/apache2/lib/libapr-1.so.0 (0xb76ff000)
librt.so.1 => /lib/i386-linux-gnu/i686/cmov/librt.so.1 (0xb76f6000)
libcrypt.so.1 => /lib/i386-linux-gnu/i686/cmov/libcrypt.so.1 (0xb76c4000)
libpthread.so.0 => /lib/i386-linux-gnu/i686/cmov/libpthread.so.0 (0xb76ab000)
libdl.so.2 => /lib/i386-linux-gnu/i686/cmov/libdl.so.2 (0xb76a6000)
libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb7542000)
/lib/ld-linux.so.2 (0xb77aa000)
I checked this before. It looks like libssl is being dropped due to
the conflicting libraries.
I've tried addind LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
to my /usr/local/apache2/bin/envvars file bu that didn't work.
My config log shows apr and apr-util getting the new libssl, but the
server doesn't.
Does the server need an rpath statement in its link line? I don't see one.
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
Output from ldd /user/local/bin/httpd ?
mod_ssl and aprutil-1.so aught to have the right rpath to resolve. One of
your other libs is bound to openssl, as I warned you before about
libldap/lber.
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Thu, Feb 20, 2014 at 6:35 AM, Tom Browder <to...@gmail.com> wrote:
> On Thu, Feb 20, 2014 at 1:50 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
>> There is no embedded. httpd-2.2 included apr, apr-util. httpd-2.4 by
>> vote of the PMC excluded apr, apr-util, so you might be imagining
>
> Sorry, sloppy terminology: I built httpd with apr and apr-util inside
> its tree, i.e., with configuration option:
>
> --with-included-apr
Okay, I started over and it looks like I have a good shared library set up.
Here is a fragment of my httpd configuration log:
checking whether to enable mod_ssl... checking dependencies
checking for OpenSSL... checking for user-provided OpenSSL base
directory... /usr/local/ssl
adding "-I/usr/local/ssl/include" to CPPFLAGS
setting MOD_CFLAGS to "-I/usr/local/ssl/include"
setting ab_CFLAGS to "-I/usr/local/ssl/include"
adding "-L/usr/local/ssl/lib" to LDFLAGS
setting MOD_LDFLAGS to "-L/usr/local/ssl/lib"
adding "-lssl" to MOD_LDFLAGS
setting LIBS to "-lssl -lcrypto -lrt -lcrypt -lpthread -ldl"
forcing ab_LDFLAGS to "-L/usr/local/ssl/lib -lssl -lcrypto -lrt
-lcrypt -lpthread -ldl"
checking openssl/engine.h usability... yes
...
However, when I start httpd I get this message in my error.log:
[Thu Feb 20 10:45:19.104311 2014] [ssl:warn] [pid 8992:tid 3075369280]
AH01882: Init: this version of mod_ssl was compiled against a newer
library (OpenSSL 1.0.1f 6 Jan 2014, version currently loaded is
OpenSSL 1.0.1e 11 Feb 2013) - may result in undefined or erroneous
behavior
[Thu Feb 20 10:45:19.104451 2014] [ssl:debug] [pid 8992:tid
3075369280] ssl_engine_pphrase.c(181): AH02199: SSL not enabled on
vhost tbrowde.net:80, skipping SSL setup
So how can I force httpd to load the new library? I know I can use
tricks with a wrapper script and LD_LIBRARY_CONFIG but is there
something I can do in the configuration step instead?
Otherwise I guess I can fall back to the package installed version of
ssl (bummer).
(BTW, my host is Debian Linux 7, 32-bit.)
Thanks.
-Tom
P.S. I can include all configuration and build logs and confiuration
options used for openssl and httpd if wanted.
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Thu, Feb 20, 2014 at 1:50 AM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> There is no embedded. httpd-2.2 included apr, apr-util. httpd-2.4 by
> vote of the PMC excluded apr, apr-util, so you might be imagining
Sorry, sloppy terminology: I built httpd with apr and apr-util inside
its tree, i.e., with configuration option:
--with-included-apr
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
There is no embedded. httpd-2.2 included apr, apr-util. httpd-2.4 by
vote of the PMC excluded apr, apr-util, so you might be imagining
things. Or RM's are doing some goofy things.
On Wed, Feb 19, 2014 at 9:34 PM, Tom Browder <to...@gmail.com> wrote:
> On Wed, Feb 19, 2014 at 9:40 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
>> First insight, did you ./config openssl, or ./config shared? It seems near
>
> No option which I think means static.
>
>> impossible to use static openssl. apr-util configure will fail since
>> pkgconfig isn't consulted properly. httpd configure would also likely fail
>> for redundant symbols.
>>
>> Second insight - apr-util version 1.5 includes openssl libs. Once you are
>> linking against both apr-util and openssl, you can't choose a different
>> openssl. You will need to build apr-util against the -same- openssl.
>
> I used the embedded apr, apr-util so its built with apache.
>
>> Third insight - apr-util links to ldap, as does mod_authnz_ldap.
>> libldap/liblber link to openssl. Again, quite likely the system library.
>> So, rebuild the openldap project as well against your newly built openssl.
>>
>> Or you can configure apr-util --without-ldap and httpd sans
>> --enable-[authnz-]ldap
> I didn't select ldap, but I'll add --without-ldap
>
>>
>> FTR I am betting dollars to donuts you are trying to use a static, not
>> shared build of openssl. Please, don't do that :)
>
> Okay!
>
> Thanks!
>
> -Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Wed, Feb 19, 2014 at 9:40 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> First insight, did you ./config openssl, or ./config shared? It seems near
No option which I think means static.
> impossible to use static openssl. apr-util configure will fail since
> pkgconfig isn't consulted properly. httpd configure would also likely fail
> for redundant symbols.
>
> Second insight - apr-util version 1.5 includes openssl libs. Once you are
> linking against both apr-util and openssl, you can't choose a different
> openssl. You will need to build apr-util against the -same- openssl.
I used the embedded apr, apr-util so its built with apache.
> Third insight - apr-util links to ldap, as does mod_authnz_ldap.
> libldap/liblber link to openssl. Again, quite likely the system library.
> So, rebuild the openldap project as well against your newly built openssl.
>
> Or you can configure apr-util --without-ldap and httpd sans
> --enable-[authnz-]ldap
I didn't select ldap, but I'll add --without-ldap
>
> FTR I am betting dollars to donuts you are trying to use a static, not
> shared build of openssl. Please, don't do that :)
Okay!
Thanks!
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
On Wed, Feb 19, 2014 at 8:51 PM, Dr Stephen Henson
<sh...@opensslfoundation.com> wrote:
>
> On 20/02/2014 02:40, William A. Rowe Jr. wrote:
> > First insight, did you ./config openssl, or ./config shared? It seems near
> > impossible to use static openssl. apr-util configure will fail since pkgconfig
> > isn't consulted properly. httpd configure would also likely fail for redundant
> > symbols.
> >
>
> A static OpenSSL FIPS build will also have problems as statically built FIPS
> applications need to be linked with fipsld. It will appear to work until you try
> to enable FIPS mode and you'll then get a fatal "signature does not match" error.
>
> If you build and install a shared version of the FIPS capable OpenSSL this
> shouldn't happen.
Uhm, with one caveat... did the missing --noexecstack Configure.PL
bugs (for -Wa and -Wl,-z) ever get resolved? Certain death under any
modern gcc for a relocatable libcrypto.so containing the fips
self-check code.
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 20/02/2014 02:40, William A. Rowe Jr. wrote:
> First insight, did you ./config openssl, or ./config shared? It seems near
> impossible to use static openssl. apr-util configure will fail since pkgconfig
> isn't consulted properly. httpd configure would also likely fail for redundant
> symbols.
>
A static OpenSSL FIPS build will also have problems as statically built FIPS
applications need to be linked with fipsld. It will appear to work until you try
to enable FIPS mode and you'll then get a fatal "signature does not match" error.
If you build and install a shared version of the FIPS capable OpenSSL this
shouldn't happen.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
First insight, did you ./config openssl, or ./config shared? It seems near
impossible to use static openssl. apr-util configure will fail since
pkgconfig isn't consulted properly. httpd configure would also likely fail
for redundant symbols.
Second insight - apr-util version 1.5 includes openssl libs. Once you are
linking against both apr-util and openssl, you can't choose a different
openssl. You will need to build apr-util against the -same- openssl.
Third insight - apr-util links to ldap, as does mod_authnz_ldap.
libldap/liblber link to openssl. Again, quite likely the system library.
So, rebuild the openldap project as well against your newly built openssl.
Or you can configure apr-util --without-ldap and httpd sans
--enable-[authnz-]ldap
FTR I am betting dollars to donuts you are trying to use a static, not
shared build of openssl. Please, don't do that :)
p.s interestingly, openssl 1.0.1f make install_docs totally fails at
man1/cms.1 with 'expected text after =item, not a number' under Fedora 20.
Not that I attempt that arch for anything of substance.
On Wed, Feb 19, 2014 at 8:11 PM, William A. Rowe Jr. <wm...@gmail.com>wrote:
> You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc
> file to include -lz in Libs: (just after -ldl), and then re-./configure
>
>
> On Wed, Feb 19, 2014 at 7:52 PM, Tom Browder <to...@gmail.com>wrote:
>
>> On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. <wm...@gmail.com>
>> wrote:
>> > I've noticed that openssl default builds do not necessarily add -lz to
>> the
>> > lib/pkgconfig/openssl.pc when they might be needed. In any case I'm
>> going
>> > to guess you perhaps hadn't installed the zlib1g-dev package?
>>
>> No, it's installed.
>>
>> -Tom
>>
>
>
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc
file to include -lz in Libs: (just after -ldl), and then re-./configure
On Wed, Feb 19, 2014 at 7:52 PM, Tom Browder <to...@gmail.com> wrote:
> On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. <wm...@gmail.com>
> wrote:
> > I've noticed that openssl default builds do not necessarily add -lz to
> the
> > lib/pkgconfig/openssl.pc when they might be needed. In any case I'm
> going
> > to guess you perhaps hadn't installed the zlib1g-dev package?
>
> No, it's installed.
>
> -Tom
>
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> I've noticed that openssl default builds do not necessarily add -lz to the
> lib/pkgconfig/openssl.pc when they might be needed. In any case I'm going
> to guess you perhaps hadn't installed the zlib1g-dev package?
No, it's installed.
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
I've noticed that openssl default builds do not necessarily add -lz to the
lib/pkgconfig/openssl.pc when they might be needed. In any case I'm going
to guess you perhaps hadn't installed the zlib1g-dev package?
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson <
shenson@opensslfoundation.com> wrote:
> On 20/02/2014 00:24, Tom Browder wrote:
> > On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
> > <sh...@opensslfoundation.com> wrote:
> > ..
> >>> checking for OpenSSL version >= 0.9.7... OK
> >
> >> Well something is wrong there with it indicating OpenSSL version 0.9.7.
> If you
> >> intend to use the FIPS 2.0 module you must use OpenSSL 1.0.1.
> >
> > That doesn't mean its using 0.9.7. As a matter of fact my Debian
> > installed OpenSSL is 1.0.1e, and Im trying to use 1.0.1.f FIPS.
> >
>
> Oops, sorry my eyesight must be going...
>
> Steve.
> --
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shenson@opensslfoundation.com
>
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 20/02/2014 00:24, Tom Browder wrote:
> On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
> <sh...@opensslfoundation.com> wrote:
> ..
>>> checking for OpenSSL version >= 0.9.7... OK
>
>> Well something is wrong there with it indicating OpenSSL version 0.9.7. If you
>> intend to use the FIPS 2.0 module you must use OpenSSL 1.0.1.
>
> That doesn't mean its using 0.9.7. As a matter of fact my Debian
> installed OpenSSL is 1.0.1e, and Im trying to use 1.0.1.f FIPS.
>
Oops, sorry my eyesight must be going...
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
No, it isn't muddying things, this should just work. So you are building
your own openssl. Are you certain your build of ssl and build of httpd and
apr are using the same 32 or 64 bit memory model? That's one obvious
reason where ld will fail. And the zlib, expat and pcre you resolve to
must also match. Please also answer the questions about os/rev level etc.
On Wed, Feb 19, 2014 at 6:41 PM, Tom Browder <to...@gmail.com> wrote:
> On Wed, Feb 19, 2014 at 7:37 PM, William A. Rowe Jr. <wm...@gmail.com>
> wrote:
> > Odd, there is something going on here. I am wondering if this fails to
>
> I'm sorry for muddying the water.
>
> I originally used the option 'zlib' for configuring openssl-fips and
> open ssl. I'm in the process of rebuilding without the zlib option.
>
> -Tom
>
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by Tom Browder <to...@gmail.com>.
On Wed, Feb 19, 2014 at 7:37 PM, William A. Rowe Jr. <wm...@gmail.com> wrote:
> Odd, there is something going on here. I am wondering if this fails to
I'm sorry for muddying the water.
I originally used the option 'zlib' for configuring openssl-fips and
open ssl. I'm in the process of rebuilding without the zlib option.
-Tom
Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]
Posted by "William A. Rowe Jr." <wm...@gmail.com>.
Odd, there is something going on here. I am wondering if this fails to
resolve zlib libraries? Also don't concern yourself with the 0.9.7 check,
you met it (>=) with 1.0.1. Somehow, it didn't resolve the ssl library
files initially given
adding "-L/usr/local/ssl/lib" to LDFLAGS
setting LIBS to "-lssl -lcrypto -lrt -lcrypt -lpthread -ldl"
so question one, do these resolve. Question two, why isn't -lz in the
list? That's a packager's defect in your openssl-devel lib/openssl.pc file.
Did you install zlib-devel or the equivilant?
Let me make sure we understand right, you are looking at the httpd-2.4.7
package from the downloads, not an svn or git checkout, correct?
What OS/rev level/distribution are you building under?
On Wed, Feb 19, 2014 at 6:24 PM, Tom Browder <to...@gmail.com> wrote:
> On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
> <sh...@opensslfoundation.com> wrote:
> > On 19/02/2014 23:54, Tom Browder wrote:
> >> On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder <to...@gmail.com>
> wrote:
> >>> On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
> >>> <sh...@opensslfoundation.com> wrote:
> >>>> On 19/02/2014 15:08, Tom Browder wrote:
> >>>>> I configured httpd-2.4.7 successfully to use mod_ssl:
> >>>>>
> >>>>> ...
> >>>> That could be user error. The path /usr/local/ssl/fips-2.0 is the
> default
> >>>> install location of the FIPS module which isn't a complete version of
> OpenSSL.
> >>>> It should point to the location the FIPS capable OpenSSL is installed
> instead.
> >>>
> >>> Hm, I thought I tried that but I'll recheck and configure with:
> >>>
> >>> --with-ssl=/usr/local/ssl
> >>
> >> Bummer!
> >>
> >> When I did that, I get this:
> >>
> >> checking for OpenSSL... checking for user-provided OpenSSL base
> ..
> >> checking for OpenSSL version >= 0.9.7... OK
>
> > Well something is wrong there with it indicating OpenSSL version 0.9.7.
> If you
> > intend to use the FIPS 2.0 module you must use OpenSSL 1.0.1.
>
> That doesn't mean its using 0.9.7. As a matter of fact my Debian
> installed OpenSSL is 1.0.1e, and Im trying to use 1.0.1.f FIPS.
>
> But now I get a failure to build Apache:
>
> /usr/local/ssl/lib/libcrypto.a(c_zlib.o): In function `bio_zlib_free':
> c_zlib.c:(.text+0x4d): undefined reference to `inflateEnd'
> c_zlib.c:(.text+0x69): undefined reference to `deflateEnd'
> /usr/local/ssl/lib/libcrypto.a(c_zlib.o): In function `bio_zlib_ctrl':
> c_zlib.c:(.text+0x24e): undefined reference to `deflate'
> c_zlib.c:(.text+0x338): undefined reference to `zError'
>
> So should I just kiss off Open SSL FIPS and Apache?
>
> -Tom
>