I don't think it's true, but I can't support TLS 1.2 using old Linux.

There is a rumor that when Chrome is upgraded to 81, it will be a warning block if you are using TLS 1.0 or 1.1, so our server is fine, but some people may be in trouble! ?? I will briefly summarize it on the premise. There seems to be a way to use only OpenSSL and mod_ssl compiled from source, but I gave up with haste because the version of OPenSSL was not new.

Rough procedure

Compile Apache and OpenSSL from source. I want to make the migration as easy as possible, so I basically use the Apache config file as is.

Server environment

Debian5(lenny) Apache2.2.9 OpenSSL0.9.8

procedure

OpenSSL First, DL and compile OpenSSL. This time, select "openssl-1.0.1q.tar.gz". This is easy. https://www.openssl.org/source/old/1.0.1/

./config --prefix=/usr/local/ssl shared zlib
make
make install

Then set the shared library with ldconfig. Add the newly created path to the following file.

shell:/etc/ld.so.conf.d/openssl.conf


/usr/local/ssl/lib

After updating the cache file, check with grep.


ldconfig
ldconfig -p | grep -i libssl
        libssl.so.1.0.0 (libc6) => /usr/local/ssl/lib/libssl.so.1.0.0
        libssl.so.0.9.8 (libc6, hwcap: 0x0008000000008000) => /usr/lib/i686/cmov/libssl.so.0.9.8
        libssl.so.0.9.8 (libc6, hwcap: 0x0004000000000000) => /usr/lib/i586/libssl.so.0.9.8
        libssl.so.0.9.8 (libc6, hwcap: 0x0002000000000000) => /usr/lib/i486/libssl.so.0.9.8
        libssl.so.0.9.8 (libc6) => /usr/lib/libssl.so.0.9.8
        libssl.so (libc6) => /usr/local/ssl/lib/libssl.so
        libssl.so (libc6) => /usr/lib/libssl.so

I have two libssl.so, but I didn't care.

Apache From the following site, download the same version or a slightly newer version and deploy it. This time, "httpd-2.2.10.tar.gz" is used. https://archive.apache.org/dist/httpd/

./configure --enable-so --enable-ssl --with-ssl=/usr/local/ssl/ --with-included-apr --with-included-apr-util --enable-mods-shared="all ssl"
make
Error here
 ssl_engine_init.c:576: error: ‘STACK’ undeclared (first use in this function)
 ssl_engine_init.c:576: error: (Each undeclared identifier is reported only once

In the new OpenSSL, "STACK" has been changed to "_STACK", so modify the following two files. There is a possibility that it can be supported after "httpd-2.2.16".

httpd-2.2.10/modules/ssl/modules/ssl/ssl_engine_init.c
httpd-2.2.10/modules/ssl/modules/ssl/ssl_util_ssl.c

And compile.

make
make install

Fixed configuration file. I will write only the addition.

/usr/local/apache2/conf/httpd.conf


Listen 443

LoadModule log_config_module modules/mod_log_config.so
LoadModule ssl_module modules/mod_ssl.so
※mod_The point is to read ssl here. Changing the path of package conf does not update OpenSSL.
* Comment out other Load Modules

//Package configuration file
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

NameVirtualHost *:80
NameVirtualHost *:443

//Package configuration file
Include /etc/apache2/sites-enabled/

Finally

Stop the package Apache and start the source version. You can check it with the following command.

openssl s_client -connect ******.com:443

Recommended Posts

I don't think it's true, but I can't support TLS 1.2 using old Linux.