The question is raised because the original openssl version doesn't pass the Vulnerability Scanning, therefore I need to upgrade the openssl package on apache centos 7 and I am using httpd. I have some observations after spending some time
The default openssl version is OpenSSL 1.0.2k-fips, which is the default openssl version for mod_ssl, which in turn is a dependency of httpd 2.4.6-97.el7.centos.5 package, so when I yum install httpd, the mod_ssl is automatically pointing to that openssl version
I follow the guideline in https://gist.github.com/fernandoaleman/5459173e24d59b45ae2cfc618e20fe06 , instead of version 1.1.1, I installed version 3.0.0, other commands are the same as the guideline mentioned, I checked the openssl version after the upgrade by running
openssl version, the output is correct, but when I send request to the server, the response header still displays the original version:Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/4.5.18 Python/3.6This is the output when I
ldd mod_ssl.soin/usr/lib64/httpd/modules folder:
linux-vdso.so.1 => (0x00007ffd44ddd000)
libssl.so.10 => /lib64/libssl.so.10 (0x00007fe07f09c000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe07ec39000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe07ea1d000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fe07e819000)
libc.so.6 => /lib64/libc.so.6 (0x00007fe07e44b000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe07e1fe000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe07df15000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe07dd11000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe07dade000)
libz.so.1 => /lib64/libz.so.1 (0x00007fe07d8c8000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe07f545000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe07d6b8000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe07d4b4000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe07d29a000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe07d073000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe07ce11000)
I know that it's a dependency issue, the mod_ssl is not pointing to the new installed openssl 3.0.0, so is there a way to make mod_ssl point to the new openssl version? or I can install openssl 3.0.0 to the default directory that mod_ssl is pointing to? (I don't want to install httpd manually because I don't want to break the dependencies ) I am a beginner of server stuff, it is appreciated if you guys can give me a hand, thanks
CodePudding user response:
Assuming you already have apache mod_ssl openssl installed from the official centos repository, you could do something like this:
For OpenSSL:
cd /opt/
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
tar zxvf openssl-1.1.1k.tar.gz
cd /opt/openssl-1.1.1k
./config -fpic shared
make -j4
make install
For Apache (you could probably use a newer version, I just took the same version as from the official repository):
cd /opt
wget https://dlcdn.apache.org/httpd/httpd-2.4.53.tar.gz
tar zxvf httpd-2.4.53.tar.gz
cd /opt/httpd-2.4.53
./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/sh--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/etc/httpd --exec-prefix=/usr --bindir=/usr/--sbindir=/usr/sbin --mandir=/usr/share/man --libdir=/usr/lib64 --sysconfdir=/etc/httpd/conf --includedir=/usr/include/httpd --libexecdir=/usr/lib64/httpd/modules --datadir=/usr/share/httpd --enable-layout=Fed--with-installbuilddir=/usr/lib64/httpd/build --enable-mpms-shared=all --with-apr=/usr --with-apr-util=/usr --enable-suexec --with-suexec --enable-suexec-capabilities --with-suexec-caller=apache --with-suexec-oot=/var/--without-suexec-logfile --with-suexec-syslog --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=100 --enable-pie --with-pcre --enable-mods-shared=all --enable-ssl --with-ssl --die-distca--enable-proxy --enable-cache --enable-disk-cache --enable-ldap --enable-authnz-ldap --enable-cgid --enable-cgi --enable-authn-anon --enable-authn-alias --disable-imag
make -j4
make install
systemctl restart httpd
Basically it will compile Apache from source, mod_ssl as well and it will replace the default files with the ones you just compiled.
Tested it on my centos7 linux box:
[Tue May 17 12:13:19.777713 2022] [mpm_prefork:notice] [pid 3179] AH00163: Apache/2.4.53 (Unix) OpenSSL/1.1.1k configured -- resuming normal operations
CodePudding user response:
I finally solved this question, it is quite tedious, below is my steps to solve this question:
- backup all related file, which is very useful in later step, you can first use
rpm -ql httpd,rpm -ql mod_ssl, to see all the installed file paths and back up accordingly, of course the main config folder should be considered first (in my case:/etc/httpd), it's better to backupmod_sslconfigs and files as well because we need to createssl.confby ourselves later and it requires backuped configs and files. Uninstall all httpd related file on the server. - Compiling openssl from source, I followed the instructions here: Update Openssl to 3.0 on Centos7, the default installed openssl folder is:
/usr/local/ssl - Compiling Apache HTTPD from source, you can follow the steps Bogdan Stoica mentioned above (very useful info and I changed the command slightly), use the following command:
./configure
--build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu
--disable-dependency-tracking
--localstatedir=/var
--sharedstatedir=/var/lib
--mandir=/usr/share/man
--infodir=/usr/share/info
--prefix=/etc/httpd
--exec-prefix=/usr
--bindir=/usr/
--sbindir=/usr/sbin
--libdir=/usr/lib64
--sysconfdir=/etc/httpd/conf
--includedir=/usr/include/httpd
--libexecdir=/usr/lib64/httpd/modules
--datadir=/usr/share/httpd
--with-installbuilddir=/usr/lib64/httpd/build
--enable-mpms-shared=all
--with-apr=/usr
--with-apr-util=/usr
--enable-suexec
--with-suexec
--enable-suexec-capabilities
--with-suexec-caller=apache
--with-suexec-oot=/var/
--without-suexec-logfile
--with-suexec-syslog
--with-suexec-bin=/usr/sbin/suexec
--with-suexec-uidmin=500
--with-suexec-gidmin=100
--enable-pie --with-pcre
--enable-mods-shared=all
--enable-ssl
--with-ssl=/usr/local
--enable-proxy
--enable-cache
--enable-disk-cache
--enable-ldap
--enable-authnz-ldap
--enable-cgid
--enable-cgi
--enable-authn-anon
--enable-authn-alias
--disable-imag
Note that it is --with-ssl=/usr/local but not --with-ssl=/usr/local/ssland the paths of installed httpd is not exactly the same as the ones from yum install
check if new HTTPD is installed by
httpd -v, if not, please stop here.check if mod_ssl.so is pointing to new openssl by using
ldd /usr/lib64/httpd/modules/mod_ssl.so, here is the output:
linux-vdso.so.1 => (0x00007ffc73775000)
libssl.so.3 => /usr/local/lib64/libssl.so.3 (0x00007f85b9040000)
libcrypto.so.3 => /usr/local/lib64/libcrypto.so.3 (0x00007f85b89d4000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f85b87b8000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f85b85b4000)
libc.so.6 => /lib64/libc.so.6 (0x00007f85b81e6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f85b9536000)
If there is no change compared with the original mod_ssl.so file, please stop here.
- Edit
/etc/httpd/httpd.conf, replaced by the backupedhttpd.conf, and see what files are lacking, some cnp actions are needed in this step (in my case, some files related to /conf.d/*.conf)
then it's done, so basically the easy way to make mod_ssl point to different openssl is to compile httpd from source with specified openssl directory, but need to be careful about the backup, if you want a better solution, then I think finding configure which is exactly the same as yum install's one will benefit to the consistency issue.