SeeDk
asked on
RHEL: Possible to upgrade OpenSSL version of Apache without recompiling?
This is Apache 2.2.17 and it was complied into its own directory.
The Openssl version on the server was 1.0.0.
I installed a newer version 1.0.1g.
Configured the new version to be used by the OS. 'openssl version' and 'which openssl' both show the new version.
However, when I try to add the new security from OpenSSL in the httpd.conf I get this error:
SSLProtocol: Illegal protocol 'TLSv1.2'
...showing that it is still not using updated OpenSSL.
Per Redhat. httpd2.2.17 should support this:
What needs to be done to do this other than recompiling Apache?
The Openssl version on the server was 1.0.0.
I installed a newer version 1.0.1g.
Configured the new version to be used by the OS. 'openssl version' and 'which openssl' both show the new version.
However, when I try to add the new security from OpenSSL in the httpd.conf I get this error:
SSLProtocol: Illegal protocol 'TLSv1.2'
...showing that it is still not using updated OpenSSL.
Per Redhat. httpd2.2.17 should support this:
https://access.redhat.com/solutions/65030
RHEL 6: TLS v1, v1.1, & v1.2 support
You must have at least openssl-1.0.1e-15.el6, httpd-2.2.15-39, and mod_ssl-2.2.15-39 to have support for TLSv1, v1.1, & v1.2.
TLS v1.1 & v1.2 support added to OpenSSL with release of openssl-1.0.1e-15.el6 from RHBA-2013:1585, first shipped in RHEL 6.5.
The ability to specify TLSv1.1 & v1.2 in Apache with SSLProtocol was included in httpd-2.2.15-39, released in RHBA-2014:1386-1.
What needs to be done to do this other than recompiling Apache?
ASKER
Result of ldd httpd
By default I dont think the openssl version installed over the old one because when i did 'openssl version' after the install - the version still showed 1.0.0
Rather after install I did:
mv /usr/bin/openssl /home/backup/openssltest (backup files)
ln -s /usr/local/ssl/bin/openssl
This worked to show the new version with 'openssl version'
linux-gate.so.1 => (0x007cc000)
libldap-2.4.so.2 => /lib/libldap-2.4.so.2 (0x03c16000)
liblber-2.4.so.2 => /lib/liblber-2.4.so.2 (0x03924000)
libssl.so.10 => /usr/lib/libssl.so.10 (0x037ce000)
libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x03524000)
libdl.so.2 => /lib/libdl.so.2 (0x00b79000)
libz.so.1 => /lib/libz.so.1 (0x00bd4000)
libm.so.6 => /lib/libm.so.6 (0x00b9d000)
libaprutil-1.so.0 => /usr/local/apache2ssl/lib/libaprutil-1.so.0 (0x001b9000)
libexpat.so.0 => /usr/local/apache2ssl/lib/libexpat.so.0 (0x00951000)
libapr-1.so.0 => /usr/local/apache2ssl/lib/libapr-1.so.0 (0x00218000)
librt.so.1 => /lib/librt.so.1 (0x00bc9000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00110000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00b80000)
libc.so.6 => /lib/libc.so.6 (0x009eb000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00cf5000)
libssl3.so => /usr/lib/libssl3.so (0x0424f000)
libsmime3.so => /usr/lib/libsmime3.so (0x04221000)
libnss3.so => /usr/lib/libnss3.so (0x03adb000)
libnssutil3.so => /usr/lib/libnssutil3.so (0x03791000)
libplds4.so => /lib/libplds4.so (0x0378a000)
libplc4.so => /lib/libplc4.so (0x03782000)
libnspr4.so => /lib/libnspr4.so (0x041e1000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x037af000)
libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0x00140000)
libkrb5.so.3 => /lib/libkrb5.so.3 (0x036af000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x008b5000)
libk5crypto.so.3 => /lib/libk5crypto.so.3 (0x008bb000)
/lib/ld-linux.so.2 (0x009c9000)
libfreebl3.so => /lib/libfreebl3.so (0x03a8a000)
libkrb5support.so.0 => /lib/libkrb5support.so.0 (0x00909000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x008e4000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00be9000)By default I dont think the openssl version installed over the old one because when i did 'openssl version' after the install - the version still showed 1.0.0
Rather after install I did:
mv /usr/bin/openssl /home/backup/openssltest (backup files)
ln -s /usr/local/ssl/bin/openssl
This worked to show the new version with 'openssl version'
One option is to use ldconf to have /usr/local/SSL/lib before /usr/lib in ldconf.conf
/etc.....
/etc.....
The point of people choosing to go with RedHat is to maintain the version of installed applications for purpose of stability.
Your intervention means that you have to make sure to monitor the security related warnings about the external software you install and update/fix the issue.
Your intervention means that you have to make sure to monitor the security related warnings about the external software you install and update/fix the issue.
ASKER
ldconf: command not found
locate ldconf.conf
no results
I inherited this system the way it is now. Not sure why it was configured like this.
locate ldconf.conf
no results
I inherited this system the way it is now. Not sure why it was configured like this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, thanks this makes the most sense and is what I am doing. No need to stick with an old OS when its giving so many issues. I'll set up a new server with the newest RHEL7 and work from there.
ldd httpd
As long as you installed version 1.0.1g over the same as the existing OpenSSL , and as long as you did not statically compiled libraries into httpd, it will use the newer version. Your issue is likely related to the OpenSSL.conf settings dealing with transport security layer. Check httpd.conf and DSL.conf to make sure you did not limit the TLS options.
Use sslabs.com to test the available connections, ciphers, protocols....
When you install, you used a yum update OpenSSL, or did you download OpenSSL rpm from some source and installed in such that it is now in /usr/local/openssl while the other is in /usr/....,,