Can't get Apache 2.2.21 to compile with OpenSSL support

Question

Alright -- having a bad couple days here compiling Apache 2.2.21 on CentOS 5.7 with the following configure commands:

./configure --enable-ssl=shared --with-ssl=/usr/local/openssl

I've compiled from source OpenSSL 1.0.0e from source:

./config --prefix=/usr/local --openssldir=/usr/local/openssl shared zlib-dynamic

I attempt to start Apache and it returns:

httpd: Syntax error on line 54 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so: undefined symbol: SSL_get_servername

If I look at how the libraries are linked, this is what I get:

[root@web1 modules]# ldd mod_ssl.so libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaaace4000) libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaaaf30000) libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab281000) libz.so.1 => /lib64/libz.so.1 (0x00002aaaab486000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aaaab69a000) libc.so.6 => /lib64/libc.so.6 (0x00002aaaab8b5000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaabc0e000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaabe3c000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaac0d1000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaac2d4000) /lib64/ld-linux-x86-64.so.2 (0x0000555555554000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaac4f9000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaac702000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac904000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaacb19000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaacd32000)

Basically, I've tired compiling from source OpenSSL (both 0.9.8r and 1e), having yum reinstall from the repos, done a make clean and remade both OpenSSL and Apache numerous times -- but I can't get it to compile into the apache base or dynamically as a shared object file.

What am I doing wrong here?

Update 1:

After doing a make clean and make distclean, I've reconfigured with the same parameters as above without any effect.

The config.log is at Pastebin.

Update 2:

Modifying the LD_LIBRARY_PATH had no effect on the lib-deps of mod_ssl.so.

UPDATE 3:

I've compiled and recompiled many times, and verified with ldconfig that the OpenSSL libs dir is in my path, and included in ld.so.conf. Still cannot get httpd/mod_ssl to load the library at runtime.

Is this still an open question you are interested in? If so, I can provide detailes steps since I did this recently on my CentOS 6.3. I was enabling FIPS on OpenSSL and Apache. — Chida, Aug 14 '12 at 08:02
I'm not the OP, but I'm interested - please do post an answer! — Jay Levitt, Aug 27 '12 at 17:32

score 4 · Answer 1 · answered Oct 05 '11 at 18:08

4

When you compiled Apache you should have "--enable-so". I think you must have because the so module is trying to load.

Also after compiling openssl ensure the system can find the shared library with "/sbin/ldconfig -v /usr/local/openssl/lib"

and I also like to edit /etc/ld.so.conf.d/local.conf to add a line for /usr/local/openssl/lib

answered Oct 05 '11 at 18:08

John

41
1

That's correct. I've tried with `--enable-so` and without (and then compiling it into httpd). Either way do it, it will not load the libssl.so.* files no matter where they are when they're in the library path, and everything in between, trying builds of apache from 2.2.19-2.2.21 and openssl.0.9.8.r-1.0.0e. – angstwad Oct 05 '11 at 21:13
Fresh install of ScientificLinux 5.5 without openssl-devel.
openssl 1.0.0e
./Configure --prefix=/usr/local/openssl100e linux-elf shared; make install
cd /usr/local; ln -s openssl100e ssl
/sbin/ldconfig -v /usr/local/ssl/lib

Apache 2.2.21:
--prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/ssl and others.
bin/apachectl -M | grep ssl says "ssl_module (shared)"
Copied a generic server.crt and server.key into the conf directory, uncommented conf/extra/httpd-ssl.conf
/usr/local/servers/bin/apachectl start worked and nmap shows 80 and 443 open. – John Oct 06 '11 at 19:09
Had the same problem it was resolved when doing the "/sbin/ldconfig -v /usr/local/openssl/lib" command. Although i had to use "sudo" and i had not compiled it in "/usr/local/openssl". – Thomas K Jul 16 '14 at 12:54

score 2 · Answer 2 · answered Oct 06 '11 at 00:32

2

I recall that openssl doesn't make shared libraries by default. I do this:

./Configure --prefix=/usr/local/openssl linux-elf shared

Then you still have to do ldconfig as above. And tell apache where to find ssl libs.

answered Oct 06 '11 at 00:32

John

21
1

Correct, and OpenSSL has been compiled this way. Apache will not link the library to the libraries installed from compiling OpenSSL nor through yum and the CentOS repos. – angstwad Oct 06 '11 at 01:40

score 1 · Answer 3 · answered Jan 25 '13 at 13:21

1

Had the same problem few minutes again, so I add:

LDFLAGS=-L/usr/local/ssl/lib

and the parameter for ./configure (Apache) modified from:

--with-ssl=/usr/local/ssl

to

--with-ssl=/usr/local/ssl/lib

and no its ok.

answered Jan 25 '13 at 13:21

Maciej Andrzejewski

11
1

score 0 · Answer 4 · answered Oct 04 '11 at 17:59

0

ldd mod_ssl.so libssl.so.6 => /lib64/libssl.so.

would indicate that you're not linking against the openssl in /usr/local. do a "make clean && makedistclean" for both your apache/openssl builds, then rebuild/install openssl. ./configure [your options] apache, and check its config.log to make sure that it's linking against the correct openssl lib.

alternatively, please provide the output of your existing config.log

answered Oct 04 '11 at 17:59

MrTuttle

1,166
5
5

No change with `make clean` and `make distclean`, but I have tried them before. config.log link is above. – angstwad Oct 04 '11 at 19:06
export LD_LIBRARY_PATH=/usr/local/openssl/lib:$LD_LIBRARY_PATH, then recheck ldd. – MrTuttle Oct 04 '11 at 20:26
basically, it looks like Apache's finding the right libraries at compile-time, but not at run-time. adjusting LD_LIBRARY_PATH will give your openssl libs precedence in the search path. – MrTuttle Oct 04 '11 at 20:45
After modifying the LD_LIBRARY_PATH var, the results are the same. – angstwad Oct 05 '11 at 16:59

score 0 · Answer 5 · answered Oct 05 '11 at 22:50

0

It is definitely linking to the wrong OpenSSL install as pointed out previously. You should have /usr/local/ssl/lib in ld.so.conf, but try it with the following Apache configure command:

LDFLAGS=-L/usr/local/ssl/lib \
./configure \
--enable-ssl \
--enable-mods-shared=all \
--with-ssl=/usr/local/ssl

Also, are you sure OpenSSL itself is compiling as intended? Could it be failing to make shared libraries itself and falling back to static but still compiling successfully?

answered Oct 05 '11 at 22:50

sinping

2,055
14
12

It is compiling the `mod_ssl.so` file in `modules/`. I'm still executing `./configure --with-ssl=the/right/dir`, and configure sees this at configure-time. Once it compiles, and we come to runtime, it doesn't link properly to the library dictated at compile time. – angstwad Oct 05 '11 at 23:56
You could try removing openssl-devel from your system and then try again. If you are compiling your own version of SSL, you likely don't need that. As a last resort, you can manually tell mod_ssl.so which library to use with this: http://nixos.org/patchelf.html – sinping Oct 06 '11 at 15:54

score 0 · Answer 6 · answered Oct 06 '11 at 02:18

0

Check the SELinux logs. You have to tag the binaries with the proper SELinux attribute.

answered Oct 06 '11 at 02:18

Mircea Vutcovici

16,706
4
52
80

SELinux is disabled. – angstwad Oct 06 '11 at 17:02

Can't get Apache 2.2.21 to compile with OpenSSL support

6 Answers6