LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Openssl support for SNI & TLS (http://www.linuxquestions.org/questions/linux-server-73/openssl-support-for-sni-and-tls-799387/)

rahmad 04-01-2010 10:10 AM

Openssl support for SNI & TLS
 
Hi

I want to recompile Apache in order to be SNI supportive because I need to use ssl named based virtual host:

I referred to the following links:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
http://blogs.techrepublic.com.com/opensource/?p=987

I installed the latest version of openssl which is now openssl-1.0.0

I ran the following commands:
./config enable-tlsext --prefix=/usr/local2 --openssldir=/usr/local2/openssl
make
make test
make install


then to recompile apache with new SNI support I ran the following:

./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/openssl
make
make install

After that when I start Apache: /usr/local/apache2/bin/apachectl -k start

I get the following error:

SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.

bathory 04-02-2010 03:29 AM

Hi,

Quote:

I installed the latest version of openssl which is now openssl-1.0.0

I ran the following commands:
./config enable-tlsext --prefix=/usr/local2 --openssldir=/usr/local2/openssl
I guess it's a typo and you used "--enable-tlsext" and not plain "enable-tlsext".

Also make sure that the httpd binary uses the new openssl libraries:
Code:

ldd /usr/local/apache2/bin/httpd |grep ssl
If everything is ok, then I guess this is because of the newest openssl 1.0 that changes a lot of things in ssl/tls. See the changelog for details.

You could stay with openssl 0.9.8x, as version newer than 0.9.8k have the option "enable-tlsext" enabled according to this.

Regards

Noway2 04-02-2010 07:36 AM

Here is a link on this topic I posted a while back on a different forum: http://www.tek-tips.com/viewthread.c...1586943&page=2

As the previous poster suggested, use 0.98k and patch it and then it will work with Apache. The thread referenced above shows the instructions I followed and what I had to change to get it to work.

rahmad 04-04-2010 03:27 AM

thanks bathory and noway2.

as Bathory suggested I ran the command

Code:

ldd /usr/local/apache2/bin/httpd |grep ssl
the output is: libssl.so.6 => /lib/libssl.so.6 (0x00cf9000)

seems that Apache does not use the new installed library.

I tried the same steps on openssl version 0.9.8m. but still apache does not use the new installed library...

any ideas?? I guess it something to do with the option --with-ssl in apache config.

I will check out more what Noway2 sent.

bathory 04-04-2010 03:44 AM

Hi,

Stop apache, set a new LD_LIBRARY_PATH:
export LD_LIBRARY_PATH=/usr/local2/openssl/lib:$LD_LIBRARY_PATH
and try to start it again, to see if it works.

Regards

rahmad 04-04-2010 04:52 AM

hi

the path /usr/local2/openssl/lib is not existed. the new library is under /usr/local2/lib/.

I executed the export command see below:

Code:

echo $LD_LIBRARY_PATH;
/usr/local3/lib/:/usr/local2/lib:/usr/local2/openssl/lib:

when I start apache it gives the same error:
Code:

/usr/local/apache2/bin/apachectl -k start
Syntax error on line 75 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.

it seems its not related to env variable and Apache is built without knowing the new library location. :scratch:

bathory 04-04-2010 08:05 AM

Hi,

Do you have a libssl.so created? Because reading the INSTALL of openssl, it looks like the shared library is not created by default. For this you need to add "shared" in the ./config options.

Also to configure apache you can use:
Code:

LDFLAGS=-L/usr/local2/lib CPPFLAGS=-I/usr/local2/include ./configure --enable-ssl ...
Don't forget to run "make (dist)clean" before running the ./config scripts again for both openssl and apache.

Regards

rahmad 04-05-2010 05:28 AM

Hi Bathory

you are right, the shared library was not exist. now I did the following:

Code:

make clean
./config  --prefix=/usr/local2 --openssldir=/usr/local2/openssl enable-tlsext shared
make
make test
make install

then the library was created under /usr/local2/lib/
then i ran the export command
Code:

export LD_LIBRARY_PATH=/usr/local2/openssl/lib:$LD_LIBRARY_PATH

to re install apache I did the following
Code:

make clean
LDFLAGS=-L/usr/local2/lib CPPFLAGS=-I/usr/local2/include/openssl ./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/openssl
make
make install

now when I run ldd command I can see that I am using the new library as this:
Quote:

libssl.so.1.0.0 => /usr/local2/lib/libssl.so.1.0.0 (0x0088b000)
libssl.so.6 => /lib/libssl.so.6 (0x00a72000)
but when I start apache I got the same previous error

Quote:

/usr/local/apache2/bin/apachectl -k start
Syntax error on line 75 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.
Please note I tried above on openssl 0.9.8m also but i got the same error...

any ideas??

bathory 04-05-2010 08:15 AM

Hi,

You have made a mistake in CPPFLAGS. It's /usr/local2/include and not /usr/local2/include/openssl. The apache header files look in the subdir openssl of the above path to find openssl header files.
Also if you want to use the "--with-ssl" option then you have to use "--with-ssl=/usr/local2" as this is the openssl prefix in your setup.

Regards

rahmad 04-05-2010 08:55 AM

its working now :)

Thank you Bathory, you are real guru..

to summarize all the required steps:

1. Install the latest openssl which at this time openssl-1.0:
./config --prefix=/usr/local2 --openssldir=/usr/local2/openssl enable-tlsext shared
make
make test
make install

2. Install Apache with the new openssl version:
LDFLAGS=-L/usr/local2/lib CPPFLAGS=-I/usr/local2/include/ ./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/
make
make install

3. export openssl library location variable:
export LD_LIBRARY_PATH=/usr/local2/lib:$LD_LIBRARY_PATH

4. configure and start apache

Regards

bathory 04-05-2010 09:08 AM

Good to see it worked.
Just a note: you might need to add the "export LD_LIBRARY_PATH=..." in the top of the apachectl script, so apache can find the new libssl.so library when it starts during boot.

Also you can mark the thread as solved.

Cheers

rahmad 04-18-2010 05:12 AM

Hi

maybe it is better to add the export command in /etc/profile.

as bathory suggested apache can start fine but when you do (ldd /usr/local/apache2/bin/httpd |grep ssl) you can not see the new ssl shared library location because the export is executed on sub shell.


All times are GMT -5. The time now is 08:08 PM.