There is a rumor that when Chrome is upgraded to 81, it will be a warning block if you are using TLS 1.0 or 1.1, so our server is fine, but some people may be in trouble! ?? I will briefly summarize it on the premise. There seems to be a way to use only OpenSSL and mod_ssl compiled from source, but I gave up with haste because the version of OPenSSL was not new.
Compile Apache and OpenSSL from source. I want to make the migration as easy as possible, so I basically use the Apache config file as is.
Debian5(lenny) Apache2.2.9 OpenSSL0.9.8
OpenSSL First, DL and compile OpenSSL. This time, select "openssl-1.0.1q.tar.gz". This is easy. https://www.openssl.org/source/old/1.0.1/
./config --prefix=/usr/local/ssl shared zlib
make
make install
Then set the shared library with ldconfig. Add the newly created path to the following file.
shell:/etc/ld.so.conf.d/openssl.conf
/usr/local/ssl/lib
After updating the cache file, check with grep.
ldconfig
ldconfig -p | grep -i libssl
libssl.so.1.0.0 (libc6) => /usr/local/ssl/lib/libssl.so.1.0.0
libssl.so.0.9.8 (libc6, hwcap: 0x0008000000008000) => /usr/lib/i686/cmov/libssl.so.0.9.8
libssl.so.0.9.8 (libc6, hwcap: 0x0004000000000000) => /usr/lib/i586/libssl.so.0.9.8
libssl.so.0.9.8 (libc6, hwcap: 0x0002000000000000) => /usr/lib/i486/libssl.so.0.9.8
libssl.so.0.9.8 (libc6) => /usr/lib/libssl.so.0.9.8
libssl.so (libc6) => /usr/local/ssl/lib/libssl.so
libssl.so (libc6) => /usr/lib/libssl.so
I have two libssl.so, but I didn't care.
Apache From the following site, download the same version or a slightly newer version and deploy it. This time, "httpd-2.2.10.tar.gz" is used. https://archive.apache.org/dist/httpd/
./configure --enable-so --enable-ssl --with-ssl=/usr/local/ssl/ --with-included-apr --with-included-apr-util --enable-mods-shared="all ssl"
make
Error here
ssl_engine_init.c:576: error: ‘STACK’ undeclared (first use in this function)
ssl_engine_init.c:576: error: (Each undeclared identifier is reported only once
In the new OpenSSL, "STACK" has been changed to "_STACK", so modify the following two files. There is a possibility that it can be supported after "httpd-2.2.16".
httpd-2.2.10/modules/ssl/modules/ssl/ssl_engine_init.c
httpd-2.2.10/modules/ssl/modules/ssl/ssl_util_ssl.c
And compile.
make
make install
Fixed configuration file. I will write only the addition.
/usr/local/apache2/conf/httpd.conf
Listen 443
LoadModule log_config_module modules/mod_log_config.so
LoadModule ssl_module modules/mod_ssl.so
※mod_The point is to read ssl here. Changing the path of package conf does not update OpenSSL.
* Comment out other Load Modules
//Package configuration file
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
NameVirtualHost *:80
NameVirtualHost *:443
//Package configuration file
Include /etc/apache2/sites-enabled/
Stop the package Apache and start the source version. You can check it with the following command.
openssl s_client -connect ******.com:443
Recommended Posts