HOWTO: Upgrading OpenSSL

thoroughfare

Verified User
Joined
Aug 11, 2003
Messages
575
Still no luck. I've tried upgrading mod-ssl to the latest version for Apache 1.3.28, and recompiled apache and openSSL, still no luck.

And I'm using service httpd restart.

After doing some Googling, I read somewhere I should try commenting out the IfDefine SSL tags around the SSL configuration options and the LoadModule mod_ssl line, but after doing that I only got:

Can't locate API module structure `ssl_module' and undefined symbol: ssl_module.

Anybody?

Much appreciated,
Matt
 

bvvelzen

Verified User
Joined
Oct 30, 2003
Messages
82
Location
Netherlands
I have exactly the same problem.

When I trie to start apache bij service httpd start (becase it's not running), I get this messages:

/etc/init.d/httpd: line 46: ulimit: open files: cannot modify limit: Invalid argument
/etc/init.d/httpd: line 47: ulimit: open files: cannot modify limit: Invalid argument
/etc/init.d/httpd: line 48: ulimit: open files: cannot modify limit: Invalid argument
/etc/init.d/httpd: line 49: ulimit: open files: cannot modify limit: Invalid argument
Starting httpd: Syntax error on line 34 of /usr/local/directadmin/data/users/cduyzer/httpd.conf:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration


And I also read that I must add this line:
LoadModule ssl_module /lib/libssl.so.0.9.7a

to /etc/httpd/conf/httpd.conf

but when I then started apache I get this messages:

/etc/init.d/httpd: line 46: ulimit: open files: cannot modify limit: Invalid argument
/etc/init.d/httpd: line 47: ulimit: open files: cannot modify limit: Invalid argument
/etc/init.d/httpd: line 48: ulimit: open files: cannot modify limit: Invalid argument
/etc/init.d/httpd: line 49: ulimit: open files: cannot modify limit: Invalid argument
Starting httpd: Syntax error on line 243 of /etc/httpd/conf/httpd.conf:
Can't locate API module structure `ssl_module' in file /lib/libssl.so.0.9.7a: /usr/sbin/httpd: undefined symbol: ssl_module

I have this openssl version:
OpenSSL 0.9.7a Feb 19 2003

What's wrong?
 
Last edited:

thoroughfare

Verified User
Joined
Aug 11, 2003
Messages
575
I got:

Can't locate API module structure `ssl_module' in file /lib/libssl.so.0.9.7a: /usr/sbin/httpd: undefined symbol: ssl_module

also, but didn't post because I got sick in the end and just started with a clean server again; I've yet to upgrade OpenSSL because of this.

Cheers,
Matt :)
 

synergy

Verified User
Joined
Nov 8, 2003
Messages
48
Location
Australia
I had similar problem to those here. I followed the note at the beginning of the thread (which I missed the first few times) changing:

Code:
# ./config no-threads shared

to 

# ./config --prefix=/usr no-threads shared
the update of openssl seemed to work fine.
 
Last edited:

MagnuM

Verified User
Joined
Oct 24, 2003
Messages
122
Location
Romania
OK so I have the same problem with this error (when running apachectl configtest):
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration

The point is that I am not so advanced in compiling and installing Linux software.

I try this: locate libssl.so[/], and I do get
Code:
/usr/lib/apache/libssl.so
/usr/local/directadmin/customapache/apache_1.3.29/src/modules/ssl/libssl.so
/usr/local/ssl/lib/libssl.so.0.9.7
/usr/local/ssl/lib/libssl.so.0
/usr/local/ssl/lib/libssl.so
/usr/src/openssl-0.9.7c/libssl.so.0.9.7
/usr/src/openssl-0.9.7c/libssl.so.0
/usr/src/openssl-0.9.7c/libssl.so
/lib/libssl.so.4
/lib/libssl.so.0.9.7a
/lib/libssl.so.2
So I found that I have an OpenSSL 0.9.7c archive and a directory in /usr/src, but I am not sure that this version is installed, because if I type openssl version I get 0.9.7.a as an answer.

Maybe I need to reinstall OpenSSL and recompile mod_ssl, but I afraid not to brake things. About the OpenSSL upgrading I read the intructions in this post, but don't know how to recompile mod_ssl.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,050
Hello

1) apache restart:
service httpd restart

2) rebuild mod_ssl
cd /usr/local/directadmin/customapache
./build clean
./build apahce_mod_ssl

John
 

MagnuM

Verified User
Joined
Oct 24, 2003
Messages
122
Location
Romania
Thanks,

but when I try ./build apache_mod_ssl, it started the make procedure, but receive an error like this:
Code:
===> src/modules/frontpage
/bin/sh: line 1: cd: frontpage: No such file or directory
make[3]: *** [all] Error 1
make[2]: *** [subdirs] Error 1
make[2]: Leaving directory `/usr/local/directadmin/customapache/apache_1.3.29/src'
make[1]: *** [build-std] Error 2
make[1]: Leaving directory `/usr/local/directadmin/customapache/apache_1.3.29'
make: *** [build] Error 2

*** The make has failed, do you want to try to make again? (y,n):
Well, trust me I am sorry that make you guys mad at me, but I am starting to get familiar with Linux style software installation.
Anyway I want to upgrade to openssl-0.9.7c and OpenSSH 3.7, but I read that OpenSSL upgrade wil require to recompile any software which uses it (OpenSSH and Apache+mod_ssl).

So before trying to upgrade OpenSSL I was trying to recompile Apache+mod_ssl, just to see if this upgrade works fine, but it happens to brake.

Can you give me more suggestions, of how should I do that.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,050
Hello,

Re: Apache Breaks
Code:
cd /usr/local/directadmin/customapache
rm -f configure.*
./build clean
./build update
./build all
John
 

MagnuM

Verified User
Joined
Oct 24, 2003
Messages
122
Location
Romania
OK, thanks :)

The question is:
If I upgrade OpenSSL, do I need to recompile OpenSSH?

Because if I need to do that, I would like to upgrade to OpenSSH version 3.7, because I am running version 3.5. I also read the HOWTO, about upgrading OpenSSH, but I have experiencing some problems with PAM: http://www.directadmin.com/forum/showthread.php?s=&postid=9852#post9852.

So the main steps should be in that order:
1. Upgrade to openssl-0.9.7c
2. Recompile apache+mod_ssl
3. Upgrade to OpenSSH 3.7

Do I miss somehting, I mean do I need to recompile another software, beside those?
 

MagnuM

Verified User
Joined
Oct 24, 2003
Messages
122
Location
Romania
I just follow the instructions from here http://marc.theaimsgroup.com/?l=openssl-users&m=103243136521648&w=2, and upgrade to openssl 0.9.6l.

The point is that I am still receiving this:
Syntax error on line 1508 of /etc/httpd/conf/httpd.conf:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration


If I type openssl_version I receive: OpenSSL 0.9.6l 04 Nov 2003, and not OpenSSL 0.9.6l [engine] 04 Nov 2003, as I think it should appear. So the [engine] string is missing.

I have installed the folowing packages:
openssl-0.9.6l.tar.gz
openssl-engine-0.9.6l.tar.gz

Is it possible that the SSLEngine is not installed correctly?
What should I do, because my Apache is failing to start?
 

MagnuM

Verified User
Joined
Oct 24, 2003
Messages
122
Location
Romania
I always use service httpd restart, because you write that on this forum many times, and I know it. Anyway I recompile Apache, and now it is working good.

I just don't know if the SSLEngine is installed correctly?
 

RTKS

Verified User
Joined
Nov 25, 2003
Messages
48
It seems this one is a bit more complicated.

1. Is this a really essential patch?
2. What is the security hole?
3. What would I need to recompile after getting the new version of SSL installed?
 

ProWebUK

Verified User
Joined
Jun 9, 2003
Messages
2,326
Location
UK
RTKS said:
1. Is this a really essential patch?
2. What is the security hole?
3. What would I need to recompile after getting the new version of SSL installed?
1) no, it's not "essential" - your server wont start steaming due to the fact its installed and out of date, however if the upgrade is to patch a security hole it should be upgraded - if its difficult its difficult although would you prefer spend some time and be safe or just say oh well, it looks difficult lets leave ourselves wide open and vulnerable to an attacker that knows the hole.

The guide was intended a while back for a 0.9.6j > 0.9.7* upgrade... since then there have been many more bug and security fixes, the latest version is 0.9.8 (after 0.9.7c)

2) You can view ALL changes / fixes at http://www.openssl.org/news/changelog.html

3) Most things should be ok, you may have to change a few paths...

Chris
 

RTKS

Verified User
Joined
Nov 25, 2003
Messages
48
Should the guide still work substituting the new version for old?
 

RTKS

Verified User
Joined
Nov 25, 2003
Messages
48
I think this is one of those times I need to step away from the keyboard. I can't get the version to update from .6b for the life of me despite installing .7c.

Any ideas at all?
 

vandal

Verified User
Joined
Oct 22, 2003
Messages
696
Location
Calgary, AB
installing the latest tarball (9.6m) appears to have broken my bind

named: relocation error: /usr/lib/libdns.so.5: undefined symbol: ENGINE_new

redhat 8, any ideas?


Justin
 
Top