we are using apache webserver ver 2.2.3 with open SSL version 0.9.8e-fips-rhel5 (linux environment). We are required to upgrade the openSSL to the latest version for security reasons. I have following doubts
as per https://www.openssl.org/news/secadv_20140605.txt, ver 0.9.8 should be upgraded to 0.9.8za. Please let me know if its ok to upgrade to 0.9.8za or we should go for 1.0.1h
what is the procedure of upgrading openssl which comes with apache webserver
Is it required to regenerate the keys and certificate again
You can update with below command
yum update openssl
Related
A new CentOS Linux release 8.3.2011 system, install svn with 'sudo yum install subversion',the version of svn is 'svn, version 1.10.2 (r1835932)'
after execute command 'svn list https://mydomain:4443/svn/', I see blow chars:
svn: E170013: Unable to connect to a repository at URL 'https://myserver:4443/svn/'
svn: E120171: Error running context: An error occurred during SSL communication
In centos 7, svn version 1.7. I will get a question and I can input 'p' to ignore ssl validation forever. But centos8 is not. Why?
It's not a problem with SVN, but with the SSL/TLS library packaged with the client and the SSL/TLS protocol it supports. I guess that that the newer svn client version does not support outdated SSL/TLS protocol versions for security reasons. You can always check the versions with the svn --version -v command.
Check which SSL/TLS versions your client and server support and consider upgrading the server. I think that it does not support modern SSL/TLS protocol versions.
I am trying to install Letsencrypt certificate in CentOS 6.8 32 bit for Apache. It used to work earlier, but now it is giving the following error:
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
I have been checking the site:
https://certbot.eff.org/lets-encrypt/centos6-apache
and I see that 64 bit CentOS 6 is only supported. The message shown on the site is:
Supported architectures: Certbot only supports CentOS/RHEL 6 systems running on the x86_64 architecture. To use Certbot on another architecture, you will need to upgrade your OS.
Does it mean that CentOS 6 32 bit version is no longer supported? What will happen when the installed certificates on CentOS 32 bit have to be renewed?
And if CentOS 32 bit is no longer supported, what is the date from which this support is revoked?
I have fixed it by using an older version of Certbot 0.35.0 and using the following command to renew the certificate:
/usr/local/bin/certbot-auto --no-self-upgrade --no-bootstrap renew
It has worked on CentOS 6.8 successfully.
After a global upgrade (apt-get upgrade) Apache2 won't work with SSL anymore.
Ubuntu 16
Apache version : 2.4.37
OpenSSL version : OpenSSL 1.1.1-pre7 (beta) 29 May 2018
LD_LIBRARY_PATH=/usr/local/lib
When I try to start the service I get the following error:
Dec 12 18:43:59 labo apachectl[1677]: apache2: Syntax error on line
146 of /etc/apache2/apache2.conf: Syntax error on line 2 of
/etc/apache2/mods-enabled/ssl.load: Cannot load
/usr/lib/apache2/modules/mod_ssl.so into server:
/usr/lib/apache2/modules/mod_ssl.so: symbol
SSL_CTX_set_post_handshake_auth, version OPENSSL_1_1_1 not defined in
file libssl.so.1.1 with link time reference
If I disable ssl from apache2 I can successfully start the service.
I tried to reinstall apache2 & openssl, it doesn't get any better.
Solved
Found the problem:
The OpenSSL version I was using was the wrong one. I compiled OpenSSL1.1.1-pre7 several months ago to fit some security requirements. Apparently the upgrade didn't update OpenSSL to the good version (OpenSSL 1.1.1 11 Sep 2018).
the following steps made the correction:
~# sudo a2dismod ssl
~# sudo apt-get purge openssl
~/openssl-1.1.1-pre7# make uninstall //Uninstall the version I build
~# sudo apt-get install openssl
~# sudo a2enmod ssl
I need Apache2.4 with ssl.
AWS RHEL server I am using already has Apache2.2 and openssl 0.9 installed. I configured my Apache,apr,apr-util and pcre packages at /opt/products/apache2. everything is fine except the option
--enable-ssl
fails due to a dependency failure (openssl > 0.9.8a). No problem. I downloaded openssl 1.0.2a from open ssl and configured and installed it at /opt/openssl without problem.
Now I need to configure Apache with
--enable-ssl --with-ssl=/opt/openssl
but the configure command returns the error
"invalid variable name 'with-ssl'".
configure -help shows that with-ssl is an option.
Is this a bug or something? I don't find any reference on the internet.
Just wanted to update for anyone looking at this later.
Installing all the pre-requisites before configuring apache solves the problem of apache giving version error. So this command before the apache configuration solved the problem:
yum install gcc libxml2-devel gcc-c++ libicu-devel libxslt-devel bzip2 bzip2-devel libjpeg-devel libpng libpng-devel freetype freetype-devel curl curl-devel t1lib-devel unixODBC-devel openssl-devel openssl
and I did not have to install openssl separately.
i recently installed uwsgi 2.0.3 on debian via aptitude.
now i am trying to run the default websocket example, but the log tells me:
you need to build uWSGI with SSL support to use the websocket handshake api function !!!
[uwsgi-perl error] unable to complete websocket handshake at ...
I am a bit puzzled, since i cannot find a ssl-plugin and i can't see any options to turn on/off ssl-support. I really want to stick with aptitude, installing uwsgi manually is not preferred, beside i have no clue how to enable it manually either.
Does anyone know how to enable uwsgi-ssl support in debian the aptitude way?
btw.
i also removed uwsgi with aptitude remove --purge uwsgi
installed libssl-dev and reinstalled uwsgi
but without luck :(
You must compile uwsgi yourself if you want the SSL support. Debian hasn't packaged a version of uwsgi with SSL support. I know, it's annoying for updates ... but you haven't the choice.
You just need to run apt-get install build-essential python python-dev libssl-dev, then python uwsgiconfig.py ...