1

The question is raised because the original openssl version doesn't pass the Vulnerability Scanning, therefore I need to upgrade the openssl package on apache centos 7 and I am using httpd. I have some observations after spending some time

  1. The default openssl version is OpenSSL 1.0.2k-fips, which is the default openssl version for mod_ssl, which in turn is a dependency of httpd 2.4.6-97.el7.centos.5 package, so when I yum install httpd, the mod_ssl is automatically pointing to that openssl version

  2. I follow the guideline in https://gist.github.com/fernandoaleman/5459173e24d59b45ae2cfc618e20fe06 , instead of version 1.1.1, I installed version 3.0.0, other commands are the same as the guideline mentioned, I checked the openssl version after the upgrade by running openssl version, the output is correct, but when I send request to the server, the response header still displays the original version: Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/4.5.18 Python/3.6

  3. This is the output when I ldd mod_ssl.so in /usr/lib64/httpd/modules folder:

        linux-vdso.so.1 =>  (0x00007ffd44ddd000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fe07f09c000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe07ec39000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe07ea1d000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fe07e819000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fe07e44b000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe07e1fe000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe07df15000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe07dd11000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe07dade000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fe07d8c8000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe07f545000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe07d6b8000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe07d4b4000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe07d29a000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe07d073000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe07ce11000)

I know that it's a dependency issue, the mod_ssl is not pointing to the new installed openssl 3.0.0, so is there a way to make mod_ssl point to the new openssl version? or I can install openssl 3.0.0 to the default directory that mod_ssl is pointing to? (I don't want to install httpd manually because I don't want to break the dependencies ) I am a beginner of server stuff, it is appreciated if you guys can give me a hand, thanks

David Cheung
  • 61
  • 1
  • 5
  • Most probably you will have to compile mod_ssl from source, after you had installed the new OpenSSL version. If you have mod_ssl installed as a package, it will always point to the default openssl version – Bogdan Stoica May 16 '22 at 17:07
  • I cannot find any source which is suitable for Apahce 2 on Apache software foundation, I only found [link](http://www.modssl.org/) which is only available on apahce 1, can you send me any reference for building mod_ssl from source? @BogdanStoica, thanks so much – David Cheung May 17 '22 at 04:05

2 Answers2

3

I finally solved this question, it is quite tedious, below is my steps to solve this question:

  1. backup all related file, which is very useful in later step, you can first use rpm -ql httpd, rpm -ql mod_ssl, to see all the installed file paths and back up accordingly, of course the main config folder should be considered first (in my case: /etc/httpd), it's better to backup mod_ssl configs and files as well because we need to create ssl.conf by ourselves later and it requires backuped configs and files. Uninstall all httpd related file on the server.
  2. Compiling openssl from source, I followed the instructions here: Update Openssl to 3.0 on Centos7, the default installed openssl folder is: /usr/local/ssl
  3. Compiling Apache HTTPD from source, you can follow the steps Bogdan Stoica mentioned above (very useful info and I changed the command slightly), use the following command:
./configure 
--build=x86_64-redhat-linux-gnu 
--host=x86_64-redhat-linux-gnu 
--disable-dependency-tracking 
--localstatedir=/var 
--sharedstatedir=/var/lib 
--mandir=/usr/share/man 
--infodir=/usr/share/info 
--prefix=/etc/httpd 
--exec-prefix=/usr 
--bindir=/usr/
--sbindir=/usr/sbin 
--libdir=/usr/lib64 
--sysconfdir=/etc/httpd/conf 
--includedir=/usr/include/httpd
--libexecdir=/usr/lib64/httpd/modules
--datadir=/usr/share/httpd 
--with-installbuilddir=/usr/lib64/httpd/build 
--enable-mpms-shared=all 
--with-apr=/usr 
--with-apr-util=/usr 
--enable-suexec 
--with-suexec 
--enable-suexec-capabilities 
--with-suexec-caller=apache 
--with-suexec-oot=/var/
--without-suexec-logfile 
--with-suexec-syslog 
--with-suexec-bin=/usr/sbin/suexec 
--with-suexec-uidmin=500 
--with-suexec-gidmin=100 
--enable-pie --with-pcre 
--enable-mods-shared=all 
--enable-ssl 
--with-ssl=/usr/local
--enable-proxy 
--enable-cache 
--enable-disk-cache 
--enable-ldap 
--enable-authnz-ldap 
--enable-cgid 
--enable-cgi 
--enable-authn-anon 
--enable-authn-alias 
--disable-imag

Note that it is --with-ssl=/usr/local but not --with-ssl=/usr/local/ssland the paths of installed httpd is not exactly the same as the ones from yum install

  1. check if new HTTPD is installed by httpd -v, if not, please stop here.

  2. check if mod_ssl.so is pointing to new openssl by using ldd /usr/lib64/httpd/modules/mod_ssl.so, here is the output:

linux-vdso.so.1 =>  (0x00007ffc73775000)
libssl.so.3 => /usr/local/lib64/libssl.so.3 (0x00007f85b9040000)
libcrypto.so.3 => /usr/local/lib64/libcrypto.so.3 (0x00007f85b89d4000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f85b87b8000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f85b85b4000)
libc.so.6 => /lib64/libc.so.6 (0x00007f85b81e6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f85b9536000)

If there is no change compared with the original mod_ssl.so file, please stop here.

  1. Edit /etc/httpd/httpd.conf, replaced by the backuped httpd.conf, and see what files are lacking, some cnp actions are needed in this step (in my case, some files related to /conf.d/*.conf)

then it's done, so basically the easy way to make mod_ssl point to different openssl is to compile httpd from source with specified openssl directory, but need to be careful about the backup, if you want a better solution, then I think finding configure which is exactly the same as yum install's one will benefit to the consistency issue.

David Cheung
  • 61
  • 1
  • 5
1

Assuming you already have apache + mod_ssl + openssl installed from the official centos repository, you could do something like this:

For OpenSSL:

cd /opt/
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
tar zxvf openssl-1.1.1k.tar.gz
cd /opt/openssl-1.1.1k
./config -fpic shared
make -j4
make install

For Apache (you could probably use a newer version, I just took the same version as from the official repository):

cd /opt
wget https://dlcdn.apache.org/httpd/httpd-2.4.53.tar.gz
tar zxvf httpd-2.4.53.tar.gz
cd /opt/httpd-2.4.53
./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/sh--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/etc/httpd --exec-prefix=/usr --bindir=/usr/--sbindir=/usr/sbin --mandir=/usr/share/man --libdir=/usr/lib64 --sysconfdir=/etc/httpd/conf --includedir=/usr/include/httpd --libexecdir=/usr/lib64/httpd/modules --datadir=/usr/share/httpd --enable-layout=Fed--with-installbuilddir=/usr/lib64/httpd/build --enable-mpms-shared=all --with-apr=/usr --with-apr-util=/usr --enable-suexec --with-suexec --enable-suexec-capabilities --with-suexec-caller=apache --with-suexec-oot=/var/--without-suexec-logfile --with-suexec-syslog --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=100 --enable-pie --with-pcre --enable-mods-shared=all --enable-ssl --with-ssl --die-distca--enable-proxy --enable-cache --enable-disk-cache --enable-ldap --enable-authnz-ldap --enable-cgid --enable-cgi --enable-authn-anon --enable-authn-alias --disable-imag

make -j4
make install

systemctl restart httpd

Basically it will compile Apache from source, mod_ssl as well and it will replace the default files with the ones you just compiled.

Tested it on my centos7 linux box:

[Tue May 17 12:13:19.777713 2022] [mpm_prefork:notice] [pid 3179] AH00163: Apache/2.4.53 (Unix) OpenSSL/1.1.1k configured -- resuming normal operations
Bogdan Stoica
  • 4,349
  • 2
  • 23
  • 38
  • Thanks for the help, @BogdanStoica, however, 1) I still got the old version ```OpenSSL 1.0.2k-fips 26 Jan 2017``` when I typed ```openssl version```, is it supposed to be the new version when I type ```openssl version``` after ```make install``` for the new compiled openssl? or compiling new httpd will look for the new installed openssl itself? – David Cheung May 18 '22 at 05:18
  • 2) I got apache 2.4.53 when I was checking httpd version, but I don't know the folder structure for the new installed httpd by the command ```./configure --build=x ...``` you mentioned above, therefore it's very hard for me to reproduce the server configs from the old settings, it will be great if you can elavorate more about the command, did you try to override the original path (e.g: /etc/httpd/) or ...?, it will be also great if you can provide paths after the installation – David Cheung May 18 '22 at 05:19
  • 3) I saw others will use ```--with-ssl``` followed by a openssl path, but I saw your command ```with-ssl``` only, so is it going to search for existing openssl version on centos 7 and point to it? this might help me to clarify the issue stated in point 1 as well, thanks so much for your help again, it is frustrating that we cannot use simple method to make mod_ssl point to correct openssl version and path. – David Cheung May 18 '22 at 05:19
  • The path are the default ones used by the httpd package on CentOS. It will overwrite the binary files and everything related to httpd. The path structure is exactly the one from centos. And yes, if you follow my instructions, it's enough to say --with-ssl since the default SSL version installed is the newer one. If you install SSL on a different path then you have to use --with-ssl=/path for SSL – Bogdan Stoica May 18 '22 at 08:04
  • The command used to compile httpd is taken from a httpd.spec file, the default one used on centos to create a .rpm package for httpd from sources – Bogdan Stoica May 18 '22 at 08:05
  • if it will override anything for httpd, I need to make sure all commands you suggested are correct, I saw there might be some issues in the configure command, 1) --program-prefix= --disable-dependency-tracking 2) --enable-layout=Fed--with-installbuilddir=/usr/lib64/httpd/build 3) --die-distca--enable-proxy 4) there are some duplicated aruguments would you mind to help me clarify these arguments? Providing default settings which is equal to original ```yum install httpd``` does help me a lot, thanks – David Cheung May 18 '22 at 10:52
  • I'm sorry but I can't help you more than that. I don't have the ncessary time to check every configuration command and so on. You can test everything on a linux virtual server (not the live one). I used the settings above on a test centos7 server. If you need custom or specific configuration, that's on you to figure out – Bogdan Stoica May 18 '22 at 10:54