0

I have a working OpenSSL RSA engine (i.e. a .so file) and an Apache server configured in SSL mode.
How can I make Apache use RSA implementation from my RSA engine? In other words: Where do I put the engine (.so file), how do I modify the openssl.cnf file and how do I build the Apache?

Dani Grosu
  • 544
  • 1
  • 4
  • 22
  • 2
    [Custom OpenSSL engine when running within Apache via mod_ssl](http://unix.stackexchange.com/q/180343) on the Unix & Linux Stack Exchange and [Integrating Apache with PKCS#11 device via engine_pkcs11 and OpenSSL](http://serverfault.com/q/711580) on Server Fault. – jww Apr 14 '16 at 17:03
  • Hi jww, I have already read the first link you provided, but I do not know how to modify the `openssl.cnf` file. Do you think [this](https://www.openssl.org/docs/manmaster/apps/config.html) would be a good start? – Dani Grosu Apr 14 '16 at 17:14
  • @jww I modified the `openssl.cnf` file and I added my engine as stated in the link that I had provided in the previous comment. [Apache documentation](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcryptodevice) says "To discover which engine names are supported, run the command "openssl engine" ", but my engine id doesn't appear in the list. How can I fix this? – Dani Grosu Apr 16 '16 at 20:22

2 Answers2

2

For a start I don't fully understand your question. I presume you mean you've a version of OpenSSL installed on your system that Apache is using and you want to use a different (presumably later version) that you've also downloaded and installed?

It really depends which platform (Windows or Linux), how you installed Apache (pre-installed on system, through a package manager like yum or apt-get, or manually installed from source).

Prebuilt packages like those in Windows installs and package managers tend to use the system default SSL library and aren't the easiest to change (though I'm not familiar enough with them all to be honest).

So the easiest way to do this is to install Apache from source code rather than from a prebuilt package.

You normally need to set this at compile time , after downloading the source, using the --with-ssl option to configure before using make to build your code: 

./configure --with-ssl=/usr/local/ssl --enable-ssl --enable-so

If you've not installed from source before then this can be a bit intimidating. I've given detailed instructions on a blog post here on HTTP2 on how to download and install the latest OpenSSL and Apache from source on linux: https://www.tunetheweb.com/performance/http2/ but there may be better options on your specific platform.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • I don't think I understand very well. So when I try to install Apache I should use what you stated in the above answer? – Dani Grosu Apr 14 '16 at 15:29
  • I expanded my answer. – Barry Pollard Apr 14 '16 at 16:14
  • I don't want to use a different OpenSSL version. I just want to integrate an [OpenSSL engine](https://www.openssl.org/docs/manmaster/crypto/engine.html) in order to use a different implementation of the RSA algorithm – Dani Grosu Apr 14 '16 at 16:51
  • In Linux, the OpenSSL engine is a `.so` file and it can be used, for example, like this: `$ openssl speed rsa -engine pwd/my_engine.so`. Basically I need to know how to integrate this `.so` file with the Apache in order to use my own RSA implementation. I understand that I need to build the Apache from its source files, but I do not know what to do next. – Dani Grosu Apr 14 '16 at 17:07
  • I would say follow jww's link to create a customer build using a conf file then build Apache with that custom build as per my answer. – Barry Pollard Apr 15 '16 at 18:18
  • So, I have to modify the `openssl.cnf` file in order to mention the RSA engine and then I have to build the Apache with the options provided by you. The problem is I don't really know how to modify the `openssl.cnf` file and secondly I do not have a `/usr/local/ssl` path, but insted I have `/etc/ssl` and `usr/lib/ssl`. Which should I use? – Dani Grosu Apr 16 '16 at 11:32
  • I think I figure it out how to edit the OpenSSL configuration file. [This link helped me](https://www.openssl.org/docs/manmaster/apps/config.html). One more question: Do I need to recompile the Apache every time I change the `openssl.cnf` file? – Dani Grosu Apr 16 '16 at 13:34
  • Not sure to be honest but would guess so. Best thing would be to try it and see! – Barry Pollard Apr 16 '16 at 14:55
0

Steps that worked for me:

1.Install OpenSSL from sources, specifying -DOPENSSL_LOAD_CONF when running ./config
1.1.Create/build your OpenSSL engine and add it to your openssl.cnf file
2.Install httpd from sources, using these commands:

CFLAGS='-DSSL_EXPERIMENTAL_ENGINE -DSSL_ENGINE -DOPENSSL_LOAD_CONF' ./configure --enable-ssl --with-ssl=/usr/local/ssl --with-pcre=/usr/local/pcre --enable-so      
make       
make install

2.1.Edit httpd-ssl.conf by adding SSLCryptoDevice engine_id and make sure that when execute $ openssl engine, the engine_id specifier appears on the list. Also, you have to create self-signed cerificate and private key, modify the httpd.conf file, but this is not the subject of this question. Search: how to configure HTTPS on Apache.
3.$ httpd -k restart and that is all.

EDIT
The place of .so file (Openssl ENGINE) must be specified in openssl.cnf.

Dani Grosu
  • 544
  • 1
  • 4
  • 22