mod_ssl Builds Against Uninstalled OpenSSL Version [long post]
am 08.04.2003 22:56:21 von Ken SchweigertBottom line up front: How do I find out which openssl library apache and
mod_ssl are building with? Even though I tell it to use 0.9.7a it still
builds agains 0.9.6c.
History:
I'm trying to fix a "Cannot store SSL session to DBM file" error I've been
getting since I upgraded to mod_ssl-2.8.14-1.3.27 and I thinking it must
be because an old version of OpenSSL is still somewhere on the system.
This is the error I see in error_log when someone makes a secure connection
the the webserver:
[Tue Apr 8 16:13:43 2003] [error] mod_ssl: Cannot store SSL session to DBM file `/usr/local/apache/logs/ssl_scache' (System error follows)
[Tue Apr 8 16:13:43 2003] [error] System: Invalid argument (errno: 22)
Apache reports the version of OpenSSL as 0.9.6c:
[23/Mar/2003 08:32:48 02173] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.14, Library: OpenSSL/0.9.6c
My configure statment specifically calls to OpenSSL 0.9.7a:
[root@www apache_1.3.27]# more go-apache2.sh
EAPI_MM="/usr/local" SSL_BASE="/usr/src/APACHE-1.3.27/openssl-0.9.7a" \
../configure --enable-shared=max \
--enable-module=ssl \
--enable-module=access \
....
The output from configure:
[root@www apache_1.3.27]# ./go-apache2.sh
Configuring for Apache, Version 1.3.27
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ checking for system header files
+ adding selected modules
o rewrite_module uses ConfigStart/End
+ using -lndbm for DBM support
enabling DBM support for mod_rewrite
o ssl_module uses ConfigStart/End
+ SSL interface: mod_ssl/2.8.14
+ SSL interface build type: DSO
+ SSL interface compatibility: enabled
+ SSL interface experimental code: disabled
+ SSL interface conservative code: disabled
+ SSL interface vendor extensions: disabled
+ SSL interface plugin: Built-in SDBM
+ SSL library path: /usr/src/APACHE-1.3.27/openssl-0.9.7a
+ SSL library version: OpenSSL 0.9.7a Feb 19 2003
+ SSL library type: source tree only (stand-alone)
+ enabling Extended API (EAPI)
using MM library: /usr/local (installed)
+ using system Expat
+ using -ldl for vendor DSO support
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl
[root@www apache_1.3.27]#
Everything builds fine except when I try to verify the OpenSSL version
with 'strings' it finds v0.9.6c somewhere on my system:
[root@www ssl]# strings libssl.so |grep OpenSSL
OpenSSL
Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
OpenSSL
OpenSSL
(System and OpenSSL library errors follow)
(OpenSSL library error follows)
OpenSSL
OpenSSL 0.9.6c 21 dec 2001
[root@www ssl]#
I grabbed this while apache was building/making:
gcc -L/usr/src/APACHE-1.3.27/openssl-0.9.7a -shared -o libssl.so mod_ssl.lo ssl_engine_config.lo ssl_engine_compat.lo ssl_engine_ds.lo ssl_engine_dh.lo ssl_engine_init.lo ssl_engine_kernel.lo ssl_engine_rand.lo ssl_engine_io.lo ssl_engine_log.lo ssl_engine_mutex.lo ssl_engine_pphrase.lo ssl_engine_vars.lo ssl_engine_ext.lo ssl_scache.lo ssl_scache_dbm.lo ssl_scache_shmht.lo ssl_scache_shmcb.lo ssl_expr.lo ssl_expr_scan.lo ssl_expr_parse.lo ssl_expr_eval.lo ssl_util.lo ssl_util_ssl.lo ssl_util_sdbm.lo ssl_util_table.lo -lssl -lcrypto -L/usr/lib/gcc-lib/i386-redhat-linux/2.96 -lgcc
If I understand it correctly, the -lssl option to gcc links in libssl.a If I
do a 'locate' for libssl.a and run strings against those files, they all
show 0.9.7a in them
[root@www apache_1.3.27]# locate libssl.a
/usr/local/ssl/lib/libssl.a
/usr/src/openssl-0.9.7a/libssl.a
/usr/src/APACHE-1.3.27/openssl-0.9.7a/libssl.a
[root@www apache_1.3.27]# locate libssl.a | awk '{print "strings " $1 "|grep -i openssl"}' | /bin/bash
SSLv2 part of OpenSSL 0.9.7a Feb 19 2003
OpenSSLDie
OPENSSL_cleanse
OpenSSLDie
OpenSSLDie
OPENSSL_cleanse
OPENSSL_cleanse
SSLv3 part of OpenSSL 0.9.7a Feb 19 2003
OPENSSL_cleanse
OPENSSL_cleanse
SSLv2/3 compatibility part of OpenSSL 0.9.7a Feb 19 2003
TLSv1 part of OpenSSL 0.9.7a Feb 19 2003
OPENSSL_cleanse
OpenSSL 0.9.7a Feb 19 2003
OpenSSLDie
OPENSSL_cleanse
OPENSSL_malloc Error
OpenSSLDie
SSLv2 part of OpenSSL 0.9.7a Feb 19 2003
OpenSSLDie
OPENSSL_cleanse
OpenSSLDie
OpenSSLDie
OPENSSL_cleanse
OPENSSL_cleanse
SSLv3 part of OpenSSL 0.9.7a Feb 19 2003
OPENSSL_cleanse
OPENSSL_cleanse
SSLv2/3 compatibility part of OpenSSL 0.9.7a Feb 19 2003
TLSv1 part of OpenSSL 0.9.7a Feb 19 2003
OPENSSL_cleanse
OpenSSL 0.9.7a Feb 19 2003
OpenSSLDie
OPENSSL_cleanse
OPENSSL_malloc Error
OpenSSLDie
SSLv2 part of OpenSSL 0.9.7a Feb 19 2003
OpenSSLDie
OPENSSL_cleanse
OpenSSLDie
OpenSSLDie
OPENSSL_cleanse
OPENSSL_cleanse
SSLv3 part of OpenSSL 0.9.7a Feb 19 2003
OPENSSL_cleanse
OPENSSL_cleanse
SSLv2/3 compatibility part of OpenSSL 0.9.7a Feb 19 2003
TLSv1 part of OpenSSL 0.9.7a Feb 19 2003
OPENSSL_cleanse
OpenSSL 0.9.7a Feb 19 2003
OpenSSLDie
OPENSSL_cleanse
OPENSSL_malloc Error
OpenSSLDie
This feels like I'm overlooking something obvious, but I can't figure out what.
Can anyone help?
--
Ken Schweigert, Network Administrator
Byte Productions, LLC
http://www.byte-productions.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org