Manual install of curl can't find openssl - ssl

My system (Centos7) install of curl doesn't support https. So I followed this answer downloaded from source and installed myself, using the ./configure --with-ssl option.
I got the following warning while configuring:
checking OpenSSL linking with -ldl... no
checking OpenSSL linking with -ldl and -lpthread... no
checking for ssl_version in -laxtls... no
configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
As a result, my curl build does not support https.
Open SSL is installed on my system:
[user#server curl-7.61.0]$ which openssl
/usr/bin/openssl
How can I get my curl install to find openssl and support HTTPS?

Try installing openssl-devel. Development (-devel) packages are usually needed when building from source.

Related

Github unable to access SSL connect error

I have been using git lots for the last few months. git push worked 12 hours ago now all attempts generate errors, with verbose it produces this:
GIT_CURL_VERBOSE=1 git push
* Couldn't find host github.com in the .netrc file; using defaults
* About to connect() to github.com port 443 (#0)
* Trying 192.30.253.112... * Connected to github.com (192.30.253.112) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190
* Expire cleared
* Closing connection #0
fatal: unable to access 'https://github.com/waveney/wmff/': SSL connect error
Any bright ideas? No changes to server from when it worked to now, restart made no difference
I was having the same problem on various CentOS 6 VM's and it turned out to be an issue with stale curl and nss libraries (thanks to this thread for pointing me in the right direction: cURL SSL connect error 35 with NSS error -5961).
The fix that worked for me is just:
yum update -y nss curl libcurl
yum update -y worked for me to fix a fatal error when running git clone.
Had the same experience as OP, occurring for same reasons (Github's crypto removal notice of TlsV1, along with using a machine with a very old linux + git).
FWIW, if you find yourself on a very old version of linux, but you're stubbornly adamant you don't want to upgrade to a newer version of linux (hence instantly get a newer Git and all its deps), you could try build a newer Git, along with its dependencies from the source.
It's a time-consuming and painful path, and probably upgrading your linux is easier than this, but oh well, I just wanted to stick with my old linux.
I jotted a few notes of my attempt, hopefully it will help anyone that braves this path:
Git depended on openssl and curl, so I had to build those too
I had to upgrade my version of cmake in order to build the newer curl (building cmake took about 2-3 hours)
The newer cmake required me to build a newer gcc (which took about 21 hours to build on my old machine!)
Once I had cmake, I could build curl, but it referenced an older version of openssl (which did not have the newer TlsV1.2)
So I had to build a newer openssl, then followed by building curl (doing my utmost to assure the build referenced this newer openssl)
Then I could build Git, again, doing my best to assure it referenced the newer openssl and curl
I found myself repeatedly using "ldd" to confirm the referenced libraries, as on many occasions, the build would reference the wrong one, and I'd have to figure out how to enforce my desired path.
Some examples of this were:
# ldd /opt/git-2.27.0/libexec/git-core/git-http-fetch | grep -E "libssl|libcrypto|libcurl"
libcurl.so => /usr/local/lib/libcurl.so (0x00aed000)
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00e86000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00893000)
This helped me confirm 'git-http-fetch" was making using of my newer curl (at /usr/local/lib, and not /usr/lib), and my newer openssl (at /usr/local/ssl/lib, and not /usr/lib)
$ ldd /usr/local/bin/curl | grep -E "libssl|libcrypto"
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00110000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x0016f000)
This helped me confirm that my new 'curl' was referencing newer openssl (at /usr/local/ssl/lib, and not /usr/lib)
To enforce these paths, Git let you set these env-vars prior to building:
OPENSSLDIR=/usr/local/ssl/
CURLDIR=/usr/local/
For curl, I had to pass the openssl path via cmake:
cmake -DOPENSSL_ROOT_DIR=/usr/local/ssl .
For cmake, it also referenced openssl, and I passed that path across on its 'bootstrap' step:
./bootstrap --prefix=/opt/cmake-3.17.3 -- -DOPENSSL_ROOT_DIR=/usr/local/ssl
Apologies for the answer being all over the place. I can flesh it out with more detail if there is a request for it, but given that its taken me about a week to sort this out, I think most people will prefer the sane path of just upgrading your linux.

Can't use wget to download https letsencrypt sites on server, but on Mac it works. Doesn't work for Facebook scraper

I have https via LetsEncrypt installed on my domain https://blog.andytriboletti.com
No errors in the browser on Mac or on iPhone.
I noticed a problem where Facebook's open graph URL scraper used for previews wasn't working.
After investigating I noticed that wget https://blog.andytriboletti.com works on my Macbook, but does not work on my Centos server. On Mac I am using wget version GNU Wget 1.17.1 built on darwin15.2.0. On Centos I am using GNU Wget 1.14 built on linux-gnu. I upgraded to GNU Wget 1.18 built on linux-gnu and it still doesn't work.
How Debugger sees your URL is blank:
https://developers.facebook.com/tools/debug/echo/?q=http%3A%2F%2Fblog.andytriboletti.com%2F
I have opened a bug with Facebook: https://developers.facebook.com/bugs/546742535513914/
I have tried posting site with Google Plus and the preview works: https://plus.google.com/+AndyTriboletti/posts/3uzLN83Ysgn
Full output of wget --version and it working to download https://blog.andytriboletti.com/ on my Macbook:
Andys-MBP:~ andytriboletti$ brew upgrade wget
Error: wget 1.17.1 already installed
Andys-MBP:~ andytriboletti$ wget --version
GNU Wget 1.17.1 built on darwin15.2.0.
+digest -gpgme +https +ipv6 -iri +large-file -metalink -nls +ntlm
+opie -psl +ssl/openssl
Wgetrc:
/usr/local/etc/wgetrc (system)
Compile:
clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
-DLOCALEDIR="/usr/local/Cellar/wget/1.17.1/share/locale" -I.
-I../lib -I../lib -I/usr/local/opt/openssl/include -DNDEBUG
Link:
clang -DNDEBUG -L/usr/local/opt/openssl/lib -lssl -lcrypto -ldl -lz
ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Originally written by Hrvoje Niksic <hniksic#xemacs.org>.
Please send bug reports and questions to <bug-wget#gnu.org>.
Andys-MBP:~ andytriboletti$ wget https://blog.andytriboletti.com/
--2016-06-20 15:44:41-- https://blog.andytriboletti.com/
Resolving blog.andytriboletti.com... 104.237.138.56, 2600:3c00::f03c:91ff:fe84:6879
Connecting to blog.andytriboletti.com|104.237.138.56|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.16'
index.html.16 [ <=> ] 55.68K --.-KB/s in 0.09s
2016-06-20 15:44:41 (641 KB/s) - 'index.html.16' saved [57012]
When I run this on my Linux server I do get an error:
-bash-4.2$ wget https://blog.andytriboletti.com/
--2016-06-19 13:10:44-- https://blog.andytriboletti.com/
Resolving blog.andytriboletti.com (blog.andytriboletti.com)... 2600:3c00::f03c:91ff:fe84:6879, 104.237.138.56
Connecting to blog.andytriboletti.com (blog.andytriboletti.com)|2600:3c00::f03c:91ff:fe84:6879|:443... connected.
ERROR: no certificate subject alternative name matches
requested host name ‘blog.andytriboletti.com’.
To connect to blog.andytriboletti.com insecurely, use `--no-check-certificate'.
As well as wget, it's also an issue with curl.
Facebook URL previews work with a domain I bought using a Namecheap cert.
Posted on letsencrypt forums and it's an issue with having an IPv6 dns record for this domain but Apache not setup for IPv6 on this domain.
https://community.letsencrypt.org/t/cant-use-wget-to-download-https-letsencrypt-sites-on-server-but-on-mac-it-works-doesnt-work-for-facebook-scraper/17237/2

"OpenSSL version is too old" while compiling http 2.4.16 on MacOS 10.11

I encounter an error with OpenSSL while compiling http 2.4.16 on El Capitan 10.11.1.
It is looking for OpenSSL version >= 0.9.8a:
checking for OpenSSL... checking for user-provided OpenSSL base directory... none
checking for OpenSSL version >= 0.9.8a... FAILED
configure: WARNING: OpenSSL version is too old
The default OpenSSL version is 0.9.8zg:
$ openssl version
OpenSSL 0.9.8zg 14 July 2015
And finally here is a part of my compilation line:
./configure --prefix=/usr/local/MyWebserver/httpd-2.4.12 \
--enable-ssl \
--with-few-things… \
--disable-lots-of-things…
I don't want to install another openssl even with brew.
For me, the problem was solved by installing the package 'openssl-devel'.
None of the above solutions worked for me.
I resolved it by telling "configure" which open-ssl to use:
When doing ./configure, please add the following:
--with-ssl=/usr/local/Cellar/openssl/1.0.2r
whereas, 1.0.2r is your current version of openssl, usually installed by brew.
I prefer doing this method rather than messing about with the system files (i.e. don't like to link anything on /usr/... directories as it messes up with the system, especially Apple will always do an update to prevent you from doing this), therefore, the following command works:
./configure --enable-ssl --enable-so --prefix=/(Wherever you like to
install location) --with-included-apr --with-mpm=prefork
--with-ssl=/usr/local/Cellar/openssl/1.0.2r
For my installation to work, I also needed to download the apr and apr-util, unzip and place them onto the srclib folder before installing.
I hope this helps.
You don't necessarily need to copy things if you have a current version of OpenSSL installed (using Homebrew), creating a symlink is sufficient to ensure it is picked up by the configure command:
ln -s /usr/local/opt/openssl/include/openssl /usr/local/include
More details: https://medium.com/#timmykko/using-openssl-library-with-macos-sierra-7807cfd47892
I’ve found a way :
Copy the folder /usr/incude/openssl from a Yosemite (MacOS 10.10) to /usr/local/include/openssl on my computer (El Capitan MacOS 10.11).
Then compile apache by adding a flag to the compilation environment variables gcc and g++ : -I/usr/local/include
Here are all the variables that I use :
ARCH="-arch x86_64 -mmacosx-version-min=10.7"
LDFLAGS="-O3 $ARCH"
CFLAGS="-O3 -fno-common $ARCH"
CXXFLAGS="-O3 -fno-common $ARCH"
CC="gcc $ARCH -I/usr/local/include"
CXX="gcc $ARCH -I/usr/local/include"
CPP="gcc -E"
CXXCPP="g++ -E »
Actually, you just need to provide the headers.
Download the Openssl source code here, and then copy to /usr/local/include/ as below,
$ sudo cp -r include/openssl /usr/local/include/
then everything will work fine.
Edit:
The openssl being outdated was the result of not having the proper libraries install.
installing libssl via : sudo apt-get install libssl-dev
caused --enable-ssl to function without extra configuration

Printing Wrong version Number when i run ssh -V

I am upgrading the openssl & openssh versions for QNX platform, from openssl 1.0.0e to 1.0.1g & openssh-5.6p1 to openssh-6.6p1
So using my linux machine I am cross compiling to generate binaries for QNX.
After doing all the steps mentioned below when i run ./ssh -V i am getting this output
OpenSSH_6.6p1, OpenSSL 0.9.8g 19 Oct 2007
But I used openssl 1.0.1g to generate ssh binaries.
Can any one tell me from where i am getting the version wrong?
Steps:
Downloaded openssl-1.0.1g.tar.gz & openssh-6.6p1.tar.gz and then untar it.
2. cd openssl-1.0.1g & run this config command
CC=qcc CXX=qcc AR=nto${I_CPU}-ar LD=qcc RANLIB=nto${I_CPU}-ranlib CFLAGS+="-Vgcc_nto${I_CPU} -fPIC -DPIC" LDFLAGS+="-Vgcc_nto${I_CPU} -shared" ./Configure QNX6-i386 -shared --prefix=/home/vamsi/build_ppc --openssldir=/home/vamsi/build_ppc/openssl_dir
Make clean
Make
Make install
cd openssh-6.6p1 & run this config command
CC=qcc CFLAGS="-Vgcc_nto${I_CPUX} -L/home/vamsi/build_ppc/lib" AR=nto${I_CPUX}-ar LD=qcc LDFLAGS="-Vgcc_nto${I_CPUX} -L/home/vamsi/build_ppc/lib" CXX=qcc CPPFLAGS+="-DMISSING_HOWMANY -DMISSING_NFDBITS -DMISSING_NFDMASK" ./configure --disable-lastlog --host=ppcbe --with-ssl-dir=/home/vamsi/build_ppc/openssl_dir --prefix=/home/vamsi/build_ppc --disable-etc-default-login
make clean
make
After these steps i copied generated ssh binary file into target machine and tried to run ./ssh -V
Also when i copied openssl Binary to target QNX machine and tried to execute this command
./openssl
It is giving this error
./openssl[1]: syntax error: '(' unexpected
Note : I am not installing ssh in the target machine but i just want new version ssh binaries so i am running ./ssh -V instead of ssh -V
I am able to successfully connect to any address using this ssh (generated binary).
and in making this Binary i am getting this warning
skipping incompatible /home/vamsi/build_ppc/lib/libcrypto.a when searching for -lcrypto
Has this warning got anything to do with the problem i am facing ??
I tried using openssl version 1.0.0l but still the output of ssh -v is showing as
OpenSSH_6.6p1, OpenSSL 0.9.8g 19 Oct 2007
After these steps i copied generated ssh binary file into target
machine and tried to run ./ssh -V
Also when i copied openssl Binary to target QNX machine
This and the comments you've posted on your other question about the output of ldd: "It is taking the previous libraries instead of newly generated ones in creating the binaries." seem to suggest you have only copied these two executable files, but not the libraries you've compiled.
You don't need the openssl command to use ssh, but you'll need the OpenSSL libraries (libssl.something.so).
If you want to test this in a local directory instead of overwriting your system's libraries (which I'd recommend, since you don't seem quite sure how this all works), consider using LD_LIBRARY_PATH to point to the path where you've installed those libraries.
In general, it would be a good idea to read about LD_LIBRARY_PATH. On Linux, I'd also look at using ldconfig, but I'm not sure if there's an equivalent on QNX.

Ubuntu 10.04 updating openssl for apache

My company's website is on an EC2 instance. The os is ubuntu 10.04. Currently we are using packages installed through apt-get. We have apache 2.2.14 and openssl 0.9.8k. After some security audit, I was told to update the version of openssl. The latest version of openssl on the 0.9.8 line is 0.9.8y. Is it compatible with apache 2.2.14 ? If so, Is it easy or at least possible to upgrade the openssl only ? I read it on somewhere that some people simply recommend to upgrade the whole os. Any comments ?
I did try to upgrade by downloading the tarball of
httpd-2.2.24 + openssl 0.9.8y
I installed them both under
/usr/local/apache2
/usr/local/ssl
I configured apache by
./configure --enable-modules=all --enable-mods-shared="all ssl" \
--with-ssl=/usr/local/ssl/ --enable-ssl
the /usr/local/ssl/bin/openssl does show 0.9.8y
but my web service shows apache 2.2.24 + openssl 0.9.8k
Any idea how to fix it ? Thanks.
$ ldd /usr/local/apache2/bin/httpd
...
libssl.so.0.9.8 => /lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8
...
The libssl.so.0.9.8 is still found in /lib/ system directory by the loader, not /usr/local/ssl. So you need to set LD_LIBRARY_PATH before running httpd:
$ export LD_LIBRARY_PATH=/usr/local/ssl/lib && /usr/local/apache2/bin/httpd
See also this document for more info on compatibility between apache & openssl. See this table for info on binary compatibility of openssl 0.9.8k and 0.9.8y.