There is a rumor that when Chrome is upgraded to 81, it will be a warning block if you are using TLS 1.0 or 1.1, so our server is fine, but some people may be in trouble! ?? I will briefly summarize it on the premise. There seems to be a way to use only OpenSSL and mod_ssl compiled from source, but I gave up with haste because the version of OPenSSL was not new.
Compile Apache and OpenSSL from source. I want to make the migration as easy as possible, so I basically use the Apache config file as is.
Debian5(lenny) Apache2.2.9 OpenSSL0.9.8
OpenSSL First, DL and compile OpenSSL. This time, select "openssl-1.0.1q.tar.gz". This is easy. https://www.openssl.org/source/old/1.0.1/
./config --prefix=/usr/local/ssl shared zlib make make install
Then set the shared library with ldconfig. Add the newly created path to the following file.
After updating the cache file, check with grep.
ldconfig ldconfig -p | grep -i libssl libssl.so.1.0.0 (libc6) => /usr/local/ssl/lib/libssl.so.1.0.0 libssl.so.0.9.8 (libc6, hwcap: 0x0008000000008000) => /usr/lib/i686/cmov/libssl.so.0.9.8 libssl.so.0.9.8 (libc6, hwcap: 0x0004000000000000) => /usr/lib/i586/libssl.so.0.9.8 libssl.so.0.9.8 (libc6, hwcap: 0x0002000000000000) => /usr/lib/i486/libssl.so.0.9.8 libssl.so.0.9.8 (libc6) => /usr/lib/libssl.so.0.9.8 libssl.so (libc6) => /usr/local/ssl/lib/libssl.so libssl.so (libc6) => /usr/lib/libssl.so
I have two libssl.so, but I didn't care.
Apache From the following site, download the same version or a slightly newer version and deploy it. This time, "httpd-2.2.10.tar.gz" is used. https://archive.apache.org/dist/httpd/
./configure --enable-so --enable-ssl --with-ssl=/usr/local/ssl/ --with-included-apr --with-included-apr-util --enable-mods-shared="all ssl" make Error here ssl_engine_init.c:576: error: ‘STACK’ undeclared (first use in this function) ssl_engine_init.c:576: error: (Each undeclared identifier is reported only once
In the new OpenSSL, "STACK" has been changed to "_STACK", so modify the following two files. There is a possibility that it can be supported after "httpd-2.2.16".
make make install
Fixed configuration file. I will write only the addition.
Listen 443 LoadModule log_config_module modules/mod_log_config.so LoadModule ssl_module modules/mod_ssl.so ※mod_The point is to read ssl here. Changing the path of package conf does not update OpenSSL. * Comment out other Load Modules //Package configuration file Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf NameVirtualHost *:80 NameVirtualHost *:443 //Package configuration file Include /etc/apache2/sites-enabled/
Stop the package Apache and start the source version. You can check it with the following command.
openssl s_client -connect ******.com:443