Apache + mod_ssl build not linking to my OpenSSL build

Unix & Linux Asked by E-71 on November 26, 2020

I have spent some time searching online but none of what I found seems to help.

I’m running CentOS 6 64bit and would like to compile Apache with mod_ssl and need to link it to my own OpenSSL build (which is newer than the OS provided version).

OpenSSL 1.1.0i is configured with:

./config --prefix=/opt/openssl-1.1.0 --openssldir=/opt/openssl-1.1.0 shared

Apache 2.4 is configured with:

./configure --enable-layout=mycustomlayout 

It appears to compile just fine but mod_ssl isn’t aware of where OpenSSL 1.1.0 is installed:

[root@host .libs]# ldd ./ | grep -iP 'ssl|crypto' => not found => not found

And so only works when you explicitly tell it where to look:

[root@host .libs]# export LD_LIBRARY_PATH=/opt/openssl-1.1.0/lib:$LD_LIBRARY_PATH
[root@host .libs]# ldd ./ | grep -iP 'ssl|crypto' => /opt/openssl-1.1.0/lib/ (0x00007f069149a000) => /opt/openssl-1.1.0/lib/ (0x00007f069100a000)

Even building mod_ssl statically into httpd binary with --enable-mods-static=ssl doesn’t help.

I tried --enable-ssl, --enable-ssl --enable-ssl-staticlib-deps, and --enable-ssl --enable-ssl-staticlib-deps --enable-mods-static=ssl and still the same result: => not found => not found

Also tried, without luck, setting these variables before ./configure:

export PKG_CONFIG_PATH=/opt/openssl-1.1.0/lib/pkgconfig:$PKG_CONFIG_PATH 

I know I can just add to /etc/ to autoload the new OpenSSL library or adjust Apache’s init script to add to LD_LIBRARY_PATH but I’d much prefer to have it working properly, have the program where to look for /, just like my PHP build:

[root@host php]# export PKG_CONFIG_PATH=/opt/openssl-1.1.0/lib/pkgconfig:$PKG_CONFIG_PATH 
[root@host php]# ./configure […] 

[root@host php]# make

[root@host modules]# ldd ./ | grep -iP 'ssl|crypto' => /opt/openssl-1.1.0/lib/ (0x00007fc2220a6000) => /opt/openssl-1.1.0/lib/ (0x00007fc221c17000)

What am I doing wrong? Could this be a bug?

One Answer

Try adding the following to your LDFLAGS env variable:

-Bstatic -lssl -lcrypto

Also, make sure that you don't have any .so file on your openssl libdir, only the static .a ones. This ideally can be done by passing the no-shared parameter to openssl configure.

I am still unsure why sometimes the linker still prefers the shared version if it's present, even when we explicitly require the static ones, but probably it has to do with the way the ./configure script from httpd is handling library dependency.

While a patch on the configure script would probably be cleaner, just not having .so files seems to be enough for the linker to pick up the static version instead.

Answered by Emerson Gomes on November 26, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP