Can I upgrade OpenSSL version used by apache without recompiling the server but just mod_ssl?
Solution 1
The mod_ssl.so
library is dynamically linked to OpenSSL:
$ ldd mod_ssl.so | egrep 'lib(ssl|crypto)'
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f23f7209000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f23f6e26000)
As long as your upgrade of OpenSSL does not change the path to the library, all you need to do is upgrade OpenSSL, and then restart Apache so that the new OpenSSL library is loaded. The last time that OpenSSL changed the library paths was in 1.0.0, I believe, so if you are updating from 1.0.0 or later, it should be fine. If you are upgrading from an older version (e.g. 0.9.8), you will need to rebuild mod_ssl after rebuilding OpenSSL.
Solution 2
I strongly suggest upgrading your distribution, both Apache 2.2 and OpenSSL 0.9 are VERY, VERY, VERY old and hardly supported any longer.
If that is not an option, you will need to install dev headers for your installed OpenSSL version and recompile mod_ssl
against them. That is, if you are using Gentoo or other "do it yourself" kind of distro.
Else, just man up and upgrade. It is LONG overdue in your case.
Related videos on Youtube
user3019105
Updated on September 18, 2022Comments
-
user3019105 almost 2 years
I have an Apache server on a Unix machine:
Apache/2.2.29 (Unix) OpenSSL/0.9.8zg
I would like to upgrade the OpenSSL version to 1.0.2, which is the version currently installed on my system:
machine:/ user$ openssl version OpenSSL 1.0.2d 9 Jul 2015
Can I do that without recompiling the whole server? Do I have to recompile
mod_ssl
only as it is loaded insidehttpd.conf
withLoadModule
?:LoadModule ssl_module modules/mod_ssl.so
How can I do that?
-
sam_pan_mariusz almost 9 yearsYears ago, I tried to upgrade libssl from 0.9.7 to 0.9.8 IIRC. The filename has changed, so I symlinked it to the old one. This, however, failed completely, probably due to an API change. I can't tell if there's such a change after 1.0.0, but if the OP upgrades OpenSSL to improve security, I'd recommend upgrading httpd to 2.4 anyway, as there are important security enhancements - search for Logjam and Diffie-Hellman Groups with Apache 2.2. To have it fixed in 2.2, patching is needed (and so recompilation).