我已经使用 OpenSSL 1.0.2 成功构建了 Apache 2.4.25。
但是由于我们在内部测试中发现了一些安全漏洞,我被要求使用最新版本修补 Openssl。我也是尝试使用 OpenSSL 1.1.0c(或)1.1.0d 构建 Apache httpd 2.4.25
我的环境
lsb_release -a
Distributor ID: RedHatEnterpriseServer
Description: Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Release: 5.11
Codename: Tikanga
Perl: 5.24
PCRE: 8.38
APR: 1.5.2
APR-util: 1.5.4
OpenSSL: 1.1.0c / 1.1.0d
以上所有 Apache 依赖项均已成功构建并安装
Apache 2.4.25 - 安装步骤
cd /my/softwares
tar -xvf httpd-2.4.25.tar -C /my/build/
cd /my/build/httpd-2.4.25/
./configure --prefix=/my/apache-httpd-2.4.25 \
--with-pcre=/my/dependencies/pcre-8.38/ \
--with-apr=/my/dependencies/apr-1.5.2 \
--with-apr-util=/my/dependencies/apr-util-1.5.4 \
--enable-ssl \
--with-ssl=/usr/local/ssl-1.1.0c \
--enable-ssl-staticlib-deps \
--enable-mods-static=ssl
make // see below errors
make install
使用开放 ssl 从源代码构建 Apache 时,出现以下错误。请帮助我朝正确的方向前进。
ssl_engine_init.c: In function 'make_dh_params':
ssl_engine_init.c:61: error: dereferencing pointer to incomplete type
ssl_engine_init.c:62: error: dereferencing pointer to incomplete type
ssl_engine_init.c:63: error: dereferencing pointer to incomplete type
ssl_engine_init.c:63: error: dereferencing pointer to incomplete type
ssl_engine_init.c: In function 'ssl_init_ctx_protocol':
ssl_engine_init.c:519: warning: 'TLSv1_client_method' is deprecated (declared at /usr/local/ssl-1.1.0c/include/openssl/ssl.h:1598)
ssl_engine_init.c:520: warning: 'TLSv1_server_method' is deprecated (declared at /usr/local/ssl-1.1.0c/include/openssl/ssl.h:1597)
ssl_engine_init.c:525: warning: 'TLSv1_1_client_method' is deprecated (declared at /usr/local/ssl-1.1.0c/include/openssl/ssl.h:1604)
ssl_engine_init.c:526: warning: 'TLSv1_1_server_method' is deprecated (declared at /usr/local/ssl-1.1.0c/include/openssl/ssl.h:1603)
ssl_engine_init.c:530: warning: 'TLSv1_2_client_method' is deprecated (declared at /usr/local/ssl-1.1.0c/include/openssl/ssl.h:1610)
ssl_engine_init.c:531: warning: 'TLSv1_2_server_method' is deprecated (declared at /usr/local/ssl-1.1.0c/include/openssl/ssl.h:1609)
ssl_engine_init.c: In function 'ssl_init_ctx_session_cache':
ssl_engine_init.c:641: warning: passing argument 2 of 'SSL_CTX_sess_set_get_cb' from incompatible pointer type
ssl_engine_init.c: In function 'use_certificate_chain':
ssl_engine_init.c:861: warning: implicit declaration of function 'BIO_s_file_internal'
ssl_engine_init.c:861: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast
ssl_engine_init.c: In function 'ssl_init_server_certs':
ssl_engine_init.c:1201: error: dereferencing pointer to incomplete type
make[3]: *** [ssl_engine_init.lo] Error 1
make[3]: Leaving directory `/my/build/httpd-2.4.25/modules/ssl'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/my/build/httpd-2.4.25/modules/ssl'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/my/build/httpd-2.4.25/modules'
make: *** [all-recursive] Error 1
答案1
为什么需要使用静态链接的 ssl 库构建 Apache?在我看来,这是一个相当糟糕的主意。使用动态链接库,您只需在需要时升级 ssl 即可。对于静态的,每次 ssl 打补丁时,你都需要重新编译 apache
答案2
来自一位网友的评论
”截至目前,最新版本的 Apache HTTPD 2.4.25 2.4 分支尚不兼容 Openssl 1.1.x,因此必须坚持使用最新的 1.0.2x 并及时了解最新的安全问题。”
”没有官方声明,自从 OpenSSL 1.1.x “昨天”变得稳定以来,还没有时间和时间来适应它的 2.4 分支,所有这些你可以主要在开发者和用户 httpd 邮件列表中阅读”