You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Evans <te...@googlemail.com> on 2009/10/02 10:32:13 UTC
Re: [users@httpd] Apache 2.2.13, OpenSSL 0.9.8k, Linux, [error]
Unable to initialize TLS servername
On Thu, 2009-10-01 at 13:24 -0500, Rodney Beede wrote:
> So I have a 64-bit Linux system (Oracle Unbreakable 5.4) where I am
> trying to compile Apache 2.2.13 with Openssl 0.9.8k with mod_ssl as a
> shared module.
> I setup my Openssl as follows:
> ./config --prefix=/software/openssl shared enable-tlsext
> make
> make test
> make install
> All went well there.
> Then I built Apache with the following:
> export PATH=/software/openssl/bin:$PATH
> export LD_LIBRARY_PATH=/software/openssl/lib
> openssl version
> Gives 0.9.8k version as expected
> ./configure --prefix=/software/apache2 --with-included-apr
> --disable-autoindex --disable-imagemap --disable-include
> --disable-negotiation --disable-userdir --with-port=8080
> --with-ssl=/software/openssl --with-ldap
> --enable-mods-shared="auth_digest ldap authnz_ldap authn_file
> authz_user rewrite ssl deflate proxy proxy_ajp proxy_balancer"
> make
> make install
> All goes well.
>
> I then uncomment httpd-ssl.conf from httpd.conf and add a server.crt
> and server.key to conf/
> I then run /software/apache2/bin/httpd
> The logs/errors file gives the following error message:
> [error] Unable to initialize TLS servername extension callback
> (incompatible OpenSSL version?)
This is probably because you built apache against one version of OpenSSL
and your dynamic loader is finding a different version.
You're building it against OpenSSL installed in /software/openssl/.
Is /software/openssl/lib in your ld path when you come to run it? What
does ldd say about the shared module and the apache binary?
>
>
> In the end I got it to work by recompiling Apache with mod_ssl static
> instead of shared (./configure --enable-ssl and no "ssl" in the
> enable-mods-shared list).
>
> My question is has anyone managed to get Apache 2.2.13 with Openssl
> 0.9.8k to work with mod_ssl as a shared module?
> This thread seems to be the only one that really relates to the error
> I'm seeing. The suggestion of changing the Apache ssl cert directives
> didn't work for me though.
> http://groups.google.com/group/lucky.freebsd.ports/browse_thread/thread/8678679422363783
>
> I suppose I could try openssl 1.0.0 beta 3 next. Anyone had success with that?
Until you have apache finding the version of openssl that you built it
against at runtime, you could keep trying different versions of openssl
and it will have the same effect.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.13, OpenSSL 0.9.8k, Linux, [error]
Unable to initialize TLS servername
Posted by Rodney Beede <ap...@rodneybeede.com>.
On Fri, Oct 2, 2009 at 3:32 AM, Tom Evans <te...@googlemail.com> wrote:
> On Thu, 2009-10-01 at 13:24 -0500, Rodney Beede wrote:
>> So I have a 64-bit Linux system (Oracle Unbreakable 5.4) where I am
>> trying to compile Apache 2.2.13 with Openssl 0.9.8k with mod_ssl as a
>> shared module.
>> I setup my Openssl as follows:
>> ./config --prefix=/software/openssl shared enable-tlsext
>> make
>> make test
>> make install
>> All went well there.
>> Then I built Apache with the following:
>> export PATH=/software/openssl/bin:$PATH
>> export LD_LIBRARY_PATH=/software/openssl/lib
>> openssl version
>> Gives 0.9.8k version as expected
>> ./configure --prefix=/software/apache2 --with-included-apr
>> --disable-autoindex --disable-imagemap --disable-include
>> --disable-negotiation --disable-userdir --with-port=8080
>> --with-ssl=/software/openssl --with-ldap
>> --enable-mods-shared="auth_digest ldap authnz_ldap authn_file
>> authz_user rewrite ssl deflate proxy proxy_ajp proxy_balancer"
>> make
>> make install
>> All goes well.
>>
>> I then uncomment httpd-ssl.conf from httpd.conf and add a server.crt
>> and server.key to conf/
>> I then run /software/apache2/bin/httpd
>> The logs/errors file gives the following error message:
>> [error] Unable to initialize TLS servername extension callback
>> (incompatible OpenSSL version?)
>
> This is probably because you built apache against one version of OpenSSL
> and your dynamic loader is finding a different version.
>
> You're building it against OpenSSL installed in /software/openssl/.
> Is /software/openssl/lib in your ld path when you come to run it? What
> does ldd say about the shared module and the apache binary?
I set my PATH to the /software/openssl/bin folder and LD_LIBRARY_PATH
to /software/openssl/lib before compiling Apache httpd. ldd concurs
that /software/openssl is being used for both the module and binary.
Is there something else I missed?
I'd consider stripping out the vendor packaged and installed older
version of openssl, but that would break pretty much everything else
in the distro. The vendor is slow on providing patches which leaves
security vulnerabilities. Perhaps I'd be better switching to another
distro.
>
>>
>>
>> In the end I got it to work by recompiling Apache with mod_ssl static
>> instead of shared (./configure --enable-ssl and no "ssl" in the
>> enable-mods-shared list).
>>
>> My question is has anyone managed to get Apache 2.2.13 with Openssl
>> 0.9.8k to work with mod_ssl as a shared module?
>> This thread seems to be the only one that really relates to the error
>> I'm seeing. The suggestion of changing the Apache ssl cert directives
>> didn't work for me though.
>> http://groups.google.com/group/lucky.freebsd.ports/browse_thread/thread/8678679422363783
>>
>> I suppose I could try openssl 1.0.0 beta 3 next. Anyone had success with that?
>
> Until you have apache finding the version of openssl that you built it
> against at runtime, you could keep trying different versions of openssl
> and it will have the same effect.
>
> Cheers
>
> Tom
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org