0

I am on redhat 5.11. I want to enable SNI with apache, but I only have Apache/2.2.3 + OpenSSL 0.9.8e-fips-rhel5. I am in a very similar situation like this https://access.redhat.com/discussions/1320983

Based on this, https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI, it seems I need to compile openssl and apache from source. Is it possible that I install the new openssl and apache from rpm packages, not compiling from source?

If I have to compile them from source, is it step-by-step guide? (I found a debian guide: https://www.howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch) and this: Installing OpenSSL that supports SNI along with previous version of OpenSSL

Community
  • 1
kenpeter
  • 177
  • 1
  • 6
  • 1
    Might be time to do an OS upgrade. – womble Aug 20 '15 at 05:52
  • I never have experience on upgrading redhat 5 to 6. Will lots of things break? – kenpeter Aug 20 '15 at 05:56
  • RedHat provides a way to do an upgrade between majour releases, but they do not recommend using it. https://access.redhat.com/solutions/21964 The best thing would be to just install a fresh system and copy the data over. – Gene Aug 20 '15 at 06:02
  • Nightmare for me.... – kenpeter Aug 20 '15 at 06:05
  • 1
    RHEL 5 is in [Production 3 phase](https://access.redhat.com/support/policy/updates/errata). You should not be deploying anything new on it, as it will go EOL soon. Migrate to a new RHEL 7 server with a current Apache and OpenSSL version. – Michael Hampton Aug 20 '15 at 06:06
  • 2
    @kenpeter, if you think that's a nightmare just keep in mind it's a bigger nightmare to troubleshoot an unsupported software configuration. When things go wrong, and they will go wrong, you will have a hard time finding help for your shoe horned installation. – Gene Aug 20 '15 at 06:36

1 Answers1

0

There are a lot of people still running RHEL 5 / CentOS 5 for several reasons. Unfortunately RHEL 5 is out of support and additionally there was never a package with OpenSSL >= 1 for RHEL 5.

If you don't have any concerns about using a foreign repo then you can use "tuxad repo". It provides a different and more easy way to update OpenSSL of RHEL 5 to the one of RHEL 6 (which is still supported):

  1. Install tuxad repo for RHEL 5: rpm -i http://www.tuxad.de/repo/5/tuxad.rpm
  2. Update packages: yum update

More details can be found here:

www.tuxad.de/blog/archives/2014/11/19/openssl_updatesenhancements_for_rhel__centos_5 www.tuxad.de/blog/archives/2018/07/21/tuxad_rh5_repo_now_with_phpopenssl1

This repo contains several packages which are rebuild against OpenSSL 1:

  • httpd (also include other enhancements like ECDH support)
  • postfix
  • dovecot
  • curl
  • lynx
  • mutt
  • vsftpd
  • w3m
  • wget
  • php
  • php from RHEL 6 backported (in separate repo "tuxad-php")
reichhart
  • 360
  • 2
  • 7
  • Dear God, WHY? Let it fade into the dustbin of history where it belongs. – Michael Hampton Jul 29 '18 at 15:23
  • :-) Well, sometimes there are requirements for this. Right now I was not able to install RHEL 7 on my router - or at least not able to install it RUNNABLE. And right now I still don't understand why an init system requires some bloat like a QR encoding library. ;-) – reichhart Aug 11 '18 at 18:26