10

Like every other admin, I"m working through the Logjam fix.

I've upgraded to Apache 2.4.12 and openssl 1.0.2a on my centos 6.6 box.

When I start apache, I'm seeing this error message returned:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

Here is my apache build info:

Server version: Apache/2.4.12 (Unix)
Server built:   Jun  8 2015 22:04:38
Server's Module Magic Number: 20120211:41
Server loaded:  APR 1.4.5, APR-UTIL 1.3.12
Compiled using: APR 1.4.5, APR-UTIL 1.3.12
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/installs/apache/2_4_12"
 -D SUEXEC_BIN="/opt/installs/apache/2_4_12/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

mod_ssl is included in my httpd.conf:

LoadModule ssl_module modules/mod_ssl.so

What am I missing?

ryanlraines
  • 101
  • 1
  • 1
  • 3
  • 1
    The weakdh.org/sysadmin site has had (continues to have as of this writing) typos/inaccuracies before: http://serverfault.com/questions/706014/tomcat-solution-on-https-weakdh-org-has-typos – austinian Sep 25 '15 at 10:49

3 Answers3

4

The SSLOpenSSLConfCmd is only available on httpd 2.4.8 later.

However, you may still generate and use your own DH params on earlier versions, as explained well here:

If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file. The documentation for that is here and below:

Custom DH parameters and an EC curve name for ephemeral keys, can also be added to end of the first file configured using SSLCertificateFile. This is supported in version 2.4.7 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type.

Just use cat to append the dhparams.pem to your certificate file:

cat dhparams.pem >> cert.pem
Community
  • 1
Dario Seidl
  • 416
  • 5
  • 12
0

Per Apache doc - The set of available SSLOpenSSLConfCmd commands depends on the OpenSSL version (need) being used for mod_ssl (at least version 1.0.2 is required). For a list of supported command names, see the section Supported configuration file commands in the SSL_CONF_cmd(3) manual page for OpenSSL.

Verify the commands you are using with SSLOpenSSLConfCmd

sebix
  • 4,175
  • 2
  • 25
  • 45
chetangb
  • 145
  • 6
  • I could not find any reference to the 'SSLOpenSSLConfCmd' command anywhere on openssl.org's documents. – ryanlraines Jun 11 '15 at 02:33
  • you might be using SSLOpenSSLConfCmd command-name command-value in you httpd.conf or your custom conf file (conf.d/*) http://httpd.apache.org/docs/trunk/mod/mod_ssl.html – chetangb Jun 11 '15 at 04:54
0

SSLOpenSSLConfCmd directive available in httpd 2.4.8 (which was not released) and later, if using OpenSSL 1.0.2 or later.

Changes with Apache 2.4.8 (not released) ... mod_ssl: Add support for OpenSSL configuration commands by introducing the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand] ...

Build APR

# ./configure --host=x86_64-redhat-linux-gnu --build=x86_64-redhat-linux-gnu --prefix=/opt/apr-1.5.2 --with-devrandom=/dev/urandom

Build APR-UTIL

# ./configure --prefix=/opt/apr-util-1.5.4 --with-ldap --with-crypto --with-openssl=/opt/openssl-1.0.2a --with-apr=/opt/apr-1.5.2

Build Apache

# ./configure --prefix=/opt/httpd-2.4.12 --enable-mpms-shared=all --with-pcre --enable-mods-shared=all --enable-ssl --with-ssl=/opt/openssl-1.0.2a --with-apr=/opt/apr-1.5.2 --with-apr-util=/opt/apr-util-1.5.4 --enable-session-crypto
...
configure:
  setting INCLUDES to "-I."
  adding "-I$(top_srcdir)/os/$(OS_DIR)" to INCLUDES
  adding "-I$(top_srcdir)/include" to INCLUDES
  adding "-I/opt/apr-1.5.2/include/apr-1" to INCLUDES
  adding "-I/opt/apr-util-1.5.4/include/apr-1" to INCLUDES
  adding "-I/opt/openssl-1.0.2a/include" to INCLUDES
...

Check mod_ssl.so

# ldd mod_ssl.so | grep ssl
        libssl.so.1.0.0 => /opt/openssl-1.0.2a/lib/libssl.so.1.0.0 (0x00007f6f3c6bd000)
        libcrypto.so.1.0.0 => /opt/openssl-1.0.2a/lib/libcrypto.so.1.0.0 (0x00007f6f3c287000)

# strings mod_ssl.so | grep SSLOpenSSLConfCmd
SSLOpenSSLConfCmd
AH02407: "SSLOpenSSLConfCmd %s %s" failed for %s
AH02556: "SSLOpenSSLConfCmd %s %s" applied to %s

Check apache settings

# ./httpd -v
Server version: Apache/2.4.12 (Unix)
Server built:   Mar 27 2016 16:29:30

# ./httpd -V
Server version: Apache/2.4.12 (Unix)
Server built:   Mar 27 2016 16:29:30
Server's Module Magic Number: 20120211:41
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/httpd-2.4.12"
 -D SUEXEC_BIN="/opt/httpd-2.4.12/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

# /opt/httpd-2.4.12/bin/apachectl -t
Syntax OK

Virtual host settings

# conf/extra/httpd-ssl.conf
Listen 443
SSLOpenSSLConfCmd DHParameters /etc/pki/httpd/dhparams_2048.pem
SSLCipherSuite kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2
SSLHonorCipherOrder on
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/httpd-2.4.12/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLProtocol All -SSLv2 -SSLv3

<VirtualHost _default_:443>

   DocumentRoot "/opt/httpd-2.4.12/htdocs"
   ServerName ssllabs.example.com:443
   ServerAdmin webmaster@example.com
   ErrorLog "/opt/httpd-2.4.12/logs/error_log"
   TransferLog "/opt/httpd-2.4.12/logs/access_log"

   SSLEngine on
   SSLCertificateFile /etc/pki/httpd/server.pem
   SSLCertificateKeyFile /etc/pki/httpd/server.key

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/opt/httpd-2.4.12/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>

   BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
   CustomLog "/opt/httpd-2.4.12/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Test result

enter image description here

enter image description here

ALex_hha
  • 7,025
  • 1
  • 23
  • 39