Is OpenSSL bundled with apache?

mmatsoo · April 19, 2010, 1:24pm

Background:
I’m not a server guy but recently I had to compile a LAMP set-up from source which means I have used a combo of instructions/tutorials and general finger-crossing to get my environment right.

The Linux box was good to go so I downloaded that (at the time) latest sources for apache / php / mysql / OpenSSL and then compiled/installed them. (ie. configure;make;make install…) It’s the OpenSSL part that has me scratching my head. I assumed it was needed to make ssl work with apache but our actual server guy seems to think it’s already bundled and wondered why I downloaded OpenSSL separately. Since then I have looked around online and from what I can tell, you do need OpenSSL - apache’s mod_ssl documentation even says “This module relies on OpenSSL to provide the cryptography engine.” (reading it like that, it seems very obvious)

Finally getting to the point:
Is OpenSSL bundled with apache, or did it used to be? Assuming it’s not, is the right way then to compile apache including this kind of statement telling apache where to find OpenSSL: “–with-ssl=/path_to_openssl_folder/ssl”

Stomme_poes · April 19, 2010, 2:43pm

Looking around myself, it appears to be a separate project, much like mod_perl.

If it’s like that, then I thought you’d tell Apache where OpenSSL was just once, in some config file that Apache would reference.

http://www.modssl.org/docs/2.8/ looks kinda old:

Current Version: mod_ssl 2.8.31 for Apache 1.3.41

I see pages talking about stating paths in a <VirtualHost>, however these pages are as old as the old mod_ssl pages from 2006…

So I guess we only have http://httpd.apache.org/docs/2.0/mod/mod_ssl.html to rely on.

Nowhere does it say it’s bundled… in fact, it seems it was never even considered due to the US being jerks about cryptography… only after it was no longer a felony to send crypto data out was mod_ssl even added to Apache as an official module! (If you wanna have a nice read, read about PGP email encryption and how the writer got around the laws heh)

Looks like you install openssl separately and already have it somewhere before using mod_ssl. I see a lot of commands typed into the shell simply using openssl, but I don’t see any place where you actually link like a var or something to a path.

Question: since you dl’d each particular thingie separately and compiled them by hand… what version of Linux are you using?? I ask because possibly there is a pre-made package for your version, which is great because it avoids Dependency Hell : ) and your programs would know where to look for stuff.

dklynn · April 19, 2010, 10:13pm

In the WinDoze version:

#LoadModule ssl_module modules/mod_ssl.so

You must remove the # and restart Apache for that to be run. Linux versions should be much the same.

Regards,

DK

mmatsoo · April 20, 2010, 6:27am

Thanks for the responses.

The server runs Red Hat (release 4). Originally our server guy gave me some examples for compiling everything manually and that’s what I have done ever since. Not sure if that’s just the way he does it or whether he has some reason to avoid ready-made packages.

Anyway, I think now I’ll go back and suggest that OpenSSL isn’t bundled. We’ll see what happens;)

Thanks again!

Stomme_poes · April 20, 2010, 6:48am

He may have a good reasons somewhere, but most of the time using rpm (redhat package manager) is safer because it knows where to put which files.

So I guess you should also ask him what he’s trying to avoid, because maybe this would go better if you could rpm it.

Jack_Matier · April 20, 2010, 8:04am

Just on my way to bed but saw this…

I couldn’t trust myself enough to securely lock down a server so when I did have one (CentOS 5), I let it keep me up to date with security fixes.

Edit: Didn’t do SSL though so can’t comment on that.