LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 04-01-2010, 11:10 AM   #1
rahmad
Member
 
Registered: Aug 2007
Location: Jordan
Distribution: RHEL, Centos, Debian
Posts: 65

Rep: Reputation: 15
Openssl support for SNI & TLS


Hi

I want to recompile Apache in order to be SNI supportive because I need to use ssl named based virtual host:

I referred to the following links:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
http://blogs.techrepublic.com.com/opensource/?p=987

I installed the latest version of openssl which is now openssl-1.0.0

I ran the following commands:
./config enable-tlsext --prefix=/usr/local2 --openssldir=/usr/local2/openssl
make
make test
make install


then to recompile apache with new SNI support I ran the following:

./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/openssl
make
make install

After that when I start Apache: /usr/local/apache2/bin/apachectl -k start

I get the following error:

SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.
 
Old 04-02-2010, 04:29 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Hi,

Quote:
I installed the latest version of openssl which is now openssl-1.0.0

I ran the following commands:
./config enable-tlsext --prefix=/usr/local2 --openssldir=/usr/local2/openssl
I guess it's a typo and you used "--enable-tlsext" and not plain "enable-tlsext".

Also make sure that the httpd binary uses the new openssl libraries:
Code:
ldd /usr/local/apache2/bin/httpd |grep ssl
If everything is ok, then I guess this is because of the newest openssl 1.0 that changes a lot of things in ssl/tls. See the changelog for details.

You could stay with openssl 0.9.8x, as version newer than 0.9.8k have the option "enable-tlsext" enabled according to this.

Regards
 
Old 04-02-2010, 08:36 AM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Here is a link on this topic I posted a while back on a different forum: http://www.tek-tips.com/viewthread.c...1586943&page=2

As the previous poster suggested, use 0.98k and patch it and then it will work with Apache. The thread referenced above shows the instructions I followed and what I had to change to get it to work.
 
Old 04-04-2010, 04:27 AM   #4
rahmad
Member
 
Registered: Aug 2007
Location: Jordan
Distribution: RHEL, Centos, Debian
Posts: 65

Original Poster
Rep: Reputation: 15
thanks bathory and noway2.

as Bathory suggested I ran the command

Code:
ldd /usr/local/apache2/bin/httpd |grep ssl
the output is: libssl.so.6 => /lib/libssl.so.6 (0x00cf9000)

seems that Apache does not use the new installed library.

I tried the same steps on openssl version 0.9.8m. but still apache does not use the new installed library...

any ideas?? I guess it something to do with the option --with-ssl in apache config.

I will check out more what Noway2 sent.
 
Old 04-04-2010, 04:44 AM   #5
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Hi,

Stop apache, set a new LD_LIBRARY_PATH:
export LD_LIBRARY_PATH=/usr/local2/openssl/lib:$LD_LIBRARY_PATH
and try to start it again, to see if it works.

Regards
 
Old 04-04-2010, 05:52 AM   #6
rahmad
Member
 
Registered: Aug 2007
Location: Jordan
Distribution: RHEL, Centos, Debian
Posts: 65

Original Poster
Rep: Reputation: 15
hi

the path /usr/local2/openssl/lib is not existed. the new library is under /usr/local2/lib/.

I executed the export command see below:

Code:
echo $LD_LIBRARY_PATH;
/usr/local3/lib/:/usr/local2/lib:/usr/local2/openssl/lib:
when I start apache it gives the same error:
Code:
/usr/local/apache2/bin/apachectl -k start
Syntax error on line 75 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.
it seems its not related to env variable and Apache is built without knowing the new library location.
 
Old 04-04-2010, 09:05 AM   #7
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Hi,

Do you have a libssl.so created? Because reading the INSTALL of openssl, it looks like the shared library is not created by default. For this you need to add "shared" in the ./config options.

Also to configure apache you can use:
Code:
LDFLAGS=-L/usr/local2/lib CPPFLAGS=-I/usr/local2/include ./configure --enable-ssl ...
Don't forget to run "make (dist)clean" before running the ./config scripts again for both openssl and apache.

Regards

Last edited by bathory; 04-04-2010 at 09:18 AM.
 
Old 04-05-2010, 06:28 AM   #8
rahmad
Member
 
Registered: Aug 2007
Location: Jordan
Distribution: RHEL, Centos, Debian
Posts: 65

Original Poster
Rep: Reputation: 15
Hi Bathory

you are right, the shared library was not exist. now I did the following:

Code:
make clean
./config  --prefix=/usr/local2 --openssldir=/usr/local2/openssl enable-tlsext shared
make
make test
make install
then the library was created under /usr/local2/lib/
then i ran the export command
Code:
export LD_LIBRARY_PATH=/usr/local2/openssl/lib:$LD_LIBRARY_PATH

to re install apache I did the following
Code:
make clean 
LDFLAGS=-L/usr/local2/lib CPPFLAGS=-I/usr/local2/include/openssl ./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/openssl
make
make install
now when I run ldd command I can see that I am using the new library as this:
Quote:
libssl.so.1.0.0 => /usr/local2/lib/libssl.so.1.0.0 (0x0088b000)
libssl.so.6 => /lib/libssl.so.6 (0x00a72000)
but when I start apache I got the same previous error

Quote:
/usr/local/apache2/bin/apachectl -k start
Syntax error on line 75 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.
Please note I tried above on openssl 0.9.8m also but i got the same error...

any ideas??
 
Old 04-05-2010, 09:15 AM   #9
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Hi,

You have made a mistake in CPPFLAGS. It's /usr/local2/include and not /usr/local2/include/openssl. The apache header files look in the subdir openssl of the above path to find openssl header files.
Also if you want to use the "--with-ssl" option then you have to use "--with-ssl=/usr/local2" as this is the openssl prefix in your setup.

Regards
 
1 members found this post helpful.
Old 04-05-2010, 09:55 AM   #10
rahmad
Member
 
Registered: Aug 2007
Location: Jordan
Distribution: RHEL, Centos, Debian
Posts: 65

Original Poster
Rep: Reputation: 15
Thumbs up

its working now

Thank you Bathory, you are real guru..

to summarize all the required steps:

1. Install the latest openssl which at this time openssl-1.0:
./config --prefix=/usr/local2 --openssldir=/usr/local2/openssl enable-tlsext shared
make
make test
make install

2. Install Apache with the new openssl version:
LDFLAGS=-L/usr/local2/lib CPPFLAGS=-I/usr/local2/include/ ./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/
make
make install

3. export openssl library location variable:
export LD_LIBRARY_PATH=/usr/local2/lib:$LD_LIBRARY_PATH

4. configure and start apache

Regards
 
Old 04-05-2010, 10:08 AM   #11
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,975

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Good to see it worked.
Just a note: you might need to add the "export LD_LIBRARY_PATH=..." in the top of the apachectl script, so apache can find the new libssl.so library when it starts during boot.

Also you can mark the thread as solved.

Cheers
 
Old 04-18-2010, 06:12 AM   #12
rahmad
Member
 
Registered: Aug 2007
Location: Jordan
Distribution: RHEL, Centos, Debian
Posts: 65

Original Poster
Rep: Reputation: 15
Hi

maybe it is better to add the export command in /etc/profile.

as bathory suggested apache can start fine but when you do (ldd /usr/local/apache2/bin/httpd |grep ssl) you can not see the new ssl shared library location because the export is executed on sub shell.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Client with SSL/TLS support Osten Linux - Software 11 05-30-2012 12:44 AM
PHP with OpenSSL Support Failing pinstripe Linux - Server 4 12-20-2009 09:17 AM
Postfix TLS support saif.sicsr Linux - Server 0 02-24-2009 06:54 PM
HowTo compile Postfix with mysql, TLS and SSL support eliufoo Linux - Server 1 05-29-2008 02:06 PM
QCA-TLS + OpenSSL + Kopete eddiep Linux - Software 0 03-17-2006 05:18 PM


All times are GMT -5. The time now is 11:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration