How to make mod_ssl pointing to different openssl directory instead of default one in apache?

Question

The question is raised because the original openssl version doesn't pass the Vulnerability Scanning, therefore I need to upgrade the openssl package on apache centos 7 and I am using httpd. I have some observations after spending some time

1. The default openssl version is OpenSSL 1.0.2k-fips, which is the default openssl version for mod_ssl, which in turn is a dependency of httpd 2.4.6-97.el7.centos.5 package, so when I yum install httpd, the mod_ssl is automatically pointing to that openssl version

2. I follow the guideline in https://gist.github.com/fernandoaleman/5459173e24d59b45ae2cfc618e20fe06 , instead of version 1.1.1, I installed version 3.0.0, other commands are the same as the guideline mentioned, I checked the openssl version after the upgrade by running openssl version, the output is correct, but when I send request to the server, the response header still displays the original version: Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/4.5.18 Python/3.6

3. This is the output when I ldd mod_ssl.so in /usr/lib64/httpd/modules folder:

        linux-vdso.so.1 =>  (0x00007ffd44ddd000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fe07f09c000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe07ec39000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe07ea1d000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fe07e819000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fe07e44b000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe07e1fe000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe07df15000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe07dd11000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe07dade000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fe07d8c8000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe07f545000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe07d6b8000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe07d4b4000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe07d29a000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe07d073000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe07ce11000)

I know that it's a dependency issue, the mod_ssl is not pointing to the new installed openssl 3.0.0, so is there a way to make mod_ssl point to the new openssl version? or I can install openssl 3.0.0 to the default directory that mod_ssl is pointing to? (I don't want to install httpd manually because I don't want to break the dependencies ) I am a beginner of server stuff, it is appreciated if you guys can give me a hand, thanks

Answer 1

Assuming you already have apache + mod_ssl + openssl installed from the official centos repository, you could do something like this:

For OpenSSL:

cd /opt/
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
tar zxvf openssl-1.1.1k.tar.gz
cd /opt/openssl-1.1.1k
./config -fpic shared
make -j4
make install

For Apache (you could probably use a newer version, I just took the same version as from the official repository):

cd /opt
wget https://dlcdn.apache.org/httpd/httpd-2.4.53.tar.gz
tar zxvf httpd-2.4.53.tar.gz
cd /opt/httpd-2.4.53
./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/sh--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/etc/httpd --exec-prefix=/usr --bindir=/usr/--sbindir=/usr/sbin --mandir=/usr/share/man --libdir=/usr/lib64 --sysconfdir=/etc/httpd/conf --includedir=/usr/include/httpd --libexecdir=/usr/lib64/httpd/modules --datadir=/usr/share/httpd --enable-layout=Fed--with-installbuilddir=/usr/lib64/httpd/build --enable-mpms-shared=all --with-apr=/usr --with-apr-util=/usr --enable-suexec --with-suexec --enable-suexec-capabilities --with-suexec-caller=apache --with-suexec-oot=/var/--without-suexec-logfile --with-suexec-syslog --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=100 --enable-pie --with-pcre --enable-mods-shared=all --enable-ssl --with-ssl --die-distca--enable-proxy --enable-cache --enable-disk-cache --enable-ldap --enable-authnz-ldap --enable-cgid --enable-cgi --enable-authn-anon --enable-authn-alias --disable-imag

make -j4
make install

systemctl restart httpd

Basically it will compile Apache from source, mod_ssl as well and it will replace the default files with the ones you just compiled.

Tested it on my centos7 linux box:

[Tue May 17 12:13:19.777713 2022] [mpm_prefork:notice] [pid 3179] AH00163: Apache/2.4.53 (Unix) OpenSSL/1.1.1k configured -- resuming normal operations

Answer 2

I finally solved this question, it is quite tedious, below is my steps to solve this question:

1. backup all related file, which is very useful in later step, you can first use rpm -ql httpd, rpm -ql mod_ssl, to see all the installed file paths and back up accordingly, of course the main config folder should be considered first (in my case: /etc/httpd), it's better to backup mod_ssl configs and files as well because we need to create ssl.conf by ourselves later and it requires backuped configs and files. Uninstall all httpd related file on the server.
2. Compiling openssl from source, I followed the instructions here: Update Openssl to 3.0 on Centos7, the default installed openssl folder is: /usr/local/ssl
3. Compiling Apache HTTPD from source, you can follow the steps Bogdan Stoica mentioned above (very useful info and I changed the command slightly), use the following command:

./configure 
--build=x86_64-redhat-linux-gnu 
--host=x86_64-redhat-linux-gnu 
--disable-dependency-tracking 
--localstatedir=/var 
--sharedstatedir=/var/lib 
--mandir=/usr/share/man 
--infodir=/usr/share/info 
--prefix=/etc/httpd 
--exec-prefix=/usr 
--bindir=/usr/
--sbindir=/usr/sbin 
--libdir=/usr/lib64 
--sysconfdir=/etc/httpd/conf 
--includedir=/usr/include/httpd
--libexecdir=/usr/lib64/httpd/modules
--datadir=/usr/share/httpd 
--with-installbuilddir=/usr/lib64/httpd/build 
--enable-mpms-shared=all 
--with-apr=/usr 
--with-apr-util=/usr 
--enable-suexec 
--with-suexec 
--enable-suexec-capabilities 
--with-suexec-caller=apache 
--with-suexec-oot=/var/
--without-suexec-logfile 
--with-suexec-syslog 
--with-suexec-bin=/usr/sbin/suexec 
--with-suexec-uidmin=500 
--with-suexec-gidmin=100 
--enable-pie --with-pcre 
--enable-mods-shared=all 
--enable-ssl 
--with-ssl=/usr/local
--enable-proxy 
--enable-cache 
--enable-disk-cache 
--enable-ldap 
--enable-authnz-ldap 
--enable-cgid 
--enable-cgi 
--enable-authn-anon 
--enable-authn-alias 
--disable-imag

Note that it is --with-ssl=/usr/local but not --with-ssl=/usr/local/ssland the paths of installed httpd is not exactly the same as the ones from yum install

4. check if new HTTPD is installed by httpd -v, if not, please stop here.

5. check if mod_ssl.so is pointing to new openssl by using ldd /usr/lib64/httpd/modules/mod_ssl.so, here is the output:

linux-vdso.so.1 =>  (0x00007ffc73775000)
libssl.so.3 => /usr/local/lib64/libssl.so.3 (0x00007f85b9040000)
libcrypto.so.3 => /usr/local/lib64/libcrypto.so.3 (0x00007f85b89d4000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f85b87b8000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f85b85b4000)
libc.so.6 => /lib64/libc.so.6 (0x00007f85b81e6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f85b9536000)

If there is no change compared with the original mod_ssl.so file, please stop here.

6. Edit /etc/httpd/httpd.conf, replaced by the backuped httpd.conf, and see what files are lacking, some cnp actions are needed in this step (in my case, some files related to /conf.d/*.conf)

then it's done, so basically the easy way to make mod_ssl point to different openssl is to compile httpd from source with specified openssl directory, but need to be careful about the backup, if you want a better solution, then I think finding configure which is exactly the same as yum install's one will benefit to the consistency issue.