Upgrading Openssl for Apache on Ubuntu 15.04

-


I had to upgrade from openssl 1.0.1f to openssl 1.0.2u on Ubuntu 15.04.


Download OpenSSL

The solution is to install openssl from source, by doing this we can always have the version that we need. To download it type the following command.

cd /usr/local/src/
sudo wget https://www.openssl.org/source/openssl-1.0.2u.tar.gz

After successfully downloading the source code and installing the required dependency packages, proceed to extract the downloaded file using the command below. Ensure that you are in the directory where the file was downloaded.

sudo tar -xf openssl-1.0.2u.tar.gz

Compile and Install

Next, we’ll install OpenSSL which we downloaded, using the below command:

sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared
./config -fPIC shared --prefix=/usr/local/ssl --openssldir=/usr/local/ssl
sudo make
sudo make test # not important here
sudo make install

The -fPIC option stands for “position independent code”. It is used when compiling a program or library that will be used as a shared object (also known as a dynamic library or DLL).
Advantages of using -fPIC:

  • It allows the shared object to be loaded at any memory address, which can improve memory management and reduce fragmentation.
  • It can make the shared object more secure, as it can be loaded into a non-executable memory region.
  • It can make the shared object more portable, as it can be used on different systems with different memory layouts.

Disadvantages of using -fPIC:

  • It can increase the size of the shared object, as the code needs to be position independent.
  • It can slightly slow down the program execution, as the position independent code needs to be resolved at runtime.
  • It can make the debugging process more difficult, as the code address may change at runtime.
  • In general, it is a good practice to always use -fPIC when compiling shared objects, as it can improve the performance and security of the program. However, if you are compiling a program that will not be used as a shared object, then -fPIC is not necessary and may not be beneficial.

Create link to the new binaries

If no error, so far so good, now let us configure OpenSSL Shared Libraries, using vim text editor you can anyone of your choice.

cd /etc/ld.so.conf.d/
sudo vim openssl-1.0.2u.conf

This command will open vim text editor with an empty file, paste the text below and save.

/usr/local/ssl/lib

Next, reload the dynamic link by issuing the command below:

sudo ldconfig -v

Configure OpenSSL Binary

Backup the current binary files:

mv /usr/bin/c_rehash /usr/bin/c_rehash.BACKUP
mv /usr/bin/openssl /usr/bin/openssl.BACKUP

Replace the default openssl binary:

sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

Next we need to edit /etc/environment, just add :/usr/local/ssl/bin to the PATH:

sudo vim /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/usr/local/ssl/bin"

Next, reload the OpenSSL environment and check the PATH bin directory using the below commands:

source /etc/environment
echo $PATH

Testing

We can now check and verify our installation of OpenSSL using the below command:

which openssl
openssl version -a
Create symbolic link for certificates:

In most cases, you will get an error message like below:

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

Now, we need to update certificates and create a symlink to fix the above error:

sudo update-ca-certificates --fresh
rm -r /usr/local/ssl/certs/
ln -s /etc/ssl/certs /usr/local/ssl/certs

Enable New OpenSSL on Apache

The mod_ssl.so library is dynamically linked to OpenSSL.

ldd /usr/lib/apache2/modules/mod_ssl.so |egrep 'lib(ssl|crypto)'
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f77ca63b000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f77ca257000)

So, we have to restart apache2 to enable new openssl:

service apache2 restart

Check openssl again, the apache2 will use the right version:

 ldd /usr/lib/apache2/modules/mod_ssl.so
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007fd32af37000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007fd32aad6000)

Sources:

https://bugs.chromium.org/p/chromium/issues/list?q=Err_ssl_protocol_error&can=2

https://serverfault.com/questions/721867/can-i-upgrade-openssl-version-used-by-apache-without-recompiling-the-server-but

https://stackoverflow.com/questions/39968670/how-to-upgrade-openssl-0-9-8-to-1-0-2-with-mod-ssl-in-apache-2-2-9

https://askubuntu.com/questions/1000629/how-to-install-openssl-1-0-2-with-default-openssl-1-1-1-on-ubuntu-16-04

https://chenzhang.org/notes/developer/upgrading-openssl-for-apache-on-ubuntu/

https://www.miguelvallejo.com/tag/installing-openssl-1-0-2g-on-ubuntu/

https://dev.to/tandavala/how-to-install-openssl-from-source-code-on-ubuntu-16-04-j5j

https://www.sulabs.net/?p=266

Comments

Post a Comment

Popular posts from this blog

Installing the Certbot Let’s Encrypt Client for NGINX on Amazon Linux 2

-
Image
Installing the Certbot Let’s Encrypt Client The certbot package is not available through the package manager by default. You will need to enable the  EPEL  repository to install Certbot. sudo yum install epel-release sudo yum install certbot-nginx Set Up NGINX certbot  can automatically configure  NGINX  for SSL/TLS. It looks for and modifies the server block in your  NGINX  configuration that contains a server_name directive with the domain name you’re requesting a certificate for. In our example, the domain is  www.mydomain.com . Assuming you’re starting with a fresh NGINX install, use a text editor to create a file in the  /etc/nginx/conf.d  directory named  domain_name.conf  (so in our example, www.mydomain.com.conf). Specify your domain name (and variants, if any) with the  server_name  directive: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; server_name myd...
Read more

psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found

-
Image
ERROR psql: error: connection to server at "localhost" (127.0.0.1), port 5433 failed: ERROR: failed to authenticate with backend using SCRAM DETAIL: valid password not found Since Pgpool-II is a PostgreSQL proxy that works between clients and PostgreSQL servers, the authentication comprises two steps: Authentication between client and Pgpool-II Authentication between Pgpool-II and PostgreSQL servers Starting with Pgpool-II 4.0, Pgpool-II supports scram-sha-256 authentication. scram-sha-256 authentication method is strongly recommended because it is the most secure password-based authentication method. Solution 1 If PostgreSQL servers require  MD5  or  SCRAM  authentication for some user’s authentication but the password for that user is not present in  pool_passwd , then enabling  allow_clear_text_frontend_auth  will allow the  Pgpool-II  to use clear-text-password authentication with user to get the password in plain text form from the user ...
Read more

Deploy Nuxt.js app using Apache 2

-
  Deploy your dynamic Nuxt.js app Nuxt.js is an amazing server side rendering application framework for Vue.js. In this article we will see how to deploy Nuxt.js application to AWS instance in universal app mode. Where in Nuxt.js you can choose between Universal, Static Generated or Single Page application. Before we start deploying our dynamic app, if you want just to deploy a static website, you can run this command: npm run generate and it will generate the files and put them in  dist  folder which you can upload to any server you want. But this will not work for universal apps. 1. Build your app To build a ssr app you need to run the following command: npm run build The generated files will not be in the  dist  folder as for the static app, but you can find all generated files in  .nuxt  folder which will be the entry point. 2. Upload to the server There are two ways to do this upload your whole application with the source code or just upload the n...
Read more