Hi.
it,s quite often you face the situation, that customer requires to certified via PCI test. one main trouble is currently openssl, several vulnerabilities found. PCI requires openssl as vulnerabilities have been addressed in versions 0.9.8o and 1.0.0a
Using ubuntu as server, there is only 0.9.8e available and upgradable to o.9.8k with precompiled packages. Even worse, several vulnerabilities are found in those openssl versions too, just pci testing vendor has not discovered em yet.
All that means, there is no ubuntu server out of the box available, with openssl package level high/secure enough, to be validated in next months.
Latest stable openssl is 1.0.1c at the moment.
Question is, how to upgrade it on production systems.
Servers require openssl for securing https (mod_ssl.so) and php (5.3.15)
there are at least 2 possible ways to achieve it.
1. upgrade system openssl from source, install it and broke package management (sounds insane)
2. compile required openssl and apache (2.4.3) and php. provide packages to productions system.
I have tried to use this manual here
http://sandilands.info/sgordon/upgra...nssl-on-ubuntu for ssl upgrade. yes it works, but run into issues after compiling apache and php modules:
first trial (apache was 2.4.2) ended with random https session brokening with apache error: [ssl:info] (70007)The timeout specified has expired: AH01991: SSL input filter read failed.
next trial i run into following while compiling apache 2.4.3:
( for dir in /usr/local/src/httpd-2.4.3/include /usr/local/src/httpd-2.4.3/os/unix; do \
ls $dir/*.h ; \
done; \
for dir in /usr/local/src/httpd-2.4.3/srclib/apr/include /usr/include/apr-1.0; do \
ls $dir/ap[ru].h $dir/ap[ru]_*.h 2>/dev/null; \
done; \
) | sort -u > export_files
mawk -f /usr/local/src/httpd-2.4.3/build/make_exports.awk `cat export_files` > exports.c
/usr/local/src/httpd-2.4.3/srclib/apr/libtool --silent --mode=compile gcc -std=gnu99 -g -O2 -pthread -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -I. -I/usr/local/src/httpd-2.4.3/os/unix -I/usr/local/src/httpd-2.4.3/include -I/usr/local/src/httpd-2.4.3/srclib/apr/include -I/usr/include/apr-1.0 -I/usr/local/src/httpd-2.4.3/modules/aaa -I/usr/local/src/httpd-2.4.3/modules/cache -I/usr/local/src/httpd-2.4.3/modules/core -I/usr/local/src/httpd-2.4.3/modules/database -I/usr/local/src/httpd-2.4.3/modules/filters -I/usr/local/src/httpd-2.4.3/modules/ldap -I/usr/local/src/httpd-2.4.3/modules/loggers -I/usr/local/src/httpd-2.4.3/modules/lua -I/usr/local/src/httpd-2.4.3/modules/proxy -I/usr/local/src/httpd-2.4.3/modules/session -I/usr/local/ssl/include -I/usr/local/src/httpd-2.4.3/modules/ssl -I/usr/local/src/httpd-2.4.3/modules/test -I/usr/local/src/httpd-2.4.3/server -I/usr/local/src/httpd-2.4.3/modules/arch/unix -I/usr/local/src/httpd-2.4.3/modules/dav/main -I/usr/local/src/httpd-2.4.3/modules/generators -I/usr/local/src/httpd-2.4.3/modules/mappers -prefer-non-pic -static -c exports.c && touch exports.lo
exports.c:1910: error: redefinition of āap_hack_apr_allocator_createā
exports.c:164: note: previous definition of āap_hack_apr_allocator_createā was here
exports.c:1911: error: redefinition of āap_hack_apr_allocator_destroyā
exports.c:165: note: previous definition of āap_hack_apr_allocator_destroyā was here
long list of exports errors.
compile is run as such:
./configure --prefix=/opt/apache2 --with-apr=/usr/local/src/httpd-2.4.3/srclib/apr --enable-load-all-modules --with-ssl=/usr/local/ssl
my openssl 1.0.1c lives in /usr/local/ssl
ssl is set in /etc/environment path as manual shows, ssl is compiled with -fPIC option
openssl version validates correctly.
apr and apr util sources are under ../httpd/srclib/apr and apr-util
if i specify --with-apr=/full path to apr sources -i get complain above
if i specify --with-apr-included i get:
/usr/local/ssl/lib/libssl.a(s3_srvr.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/local/ssl/lib/libssl.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[4]: *** [mod_ssl.la] Error 1
make[4]: Leaving directory `/usr/local/src/httpd-2.4.3/modules/ssl'
make[3]: *** [shared-build-recursive] Error 1
make[3]: Leaving directory `/usr/local/src/httpd-2.4.3/modules/ssl'
make[2]: *** [shared-build-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/httpd-2.4.3/modules'
make[1]: *** [shared-build-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/httpd-2.4.3'
make: *** [all-recursive] Error 1
root@1004ssl:/usr/local/src/httpd-2.4.3# openssl version
OpenSSL 1.0.1c 10 May 2012
in brief, i am lost at this point.
If somebody is understanding, what is wrong with compiling here, maybe some explanation.
Also if anybody knows how to properly upgrade openssl on system level, have experience with, description is very welcome.
additional info:
system is ubuntu 10.04 LTS, openssh server, installed build-essential and
build-dep apache2 packages.
apache source and dependencies are from their repository. all dependencies are in place.