CentOS 6 の mod_ssl はココ
-
http://mirror.centos.org/centos/6/os/x86_64/Packages/mod_ssl-2.2.15-69.el6.centos.x86_64.rpm
- /usr/lib64/httpd/modules/mod_ssl.so
curl テスト
XPの暗号スイートで接続できるかのテスト
curl \
-v \
--insecure \
--tlsv1 --ciphers rsa_3des_sha \
--cert ./guest-client.cer \
--key ./guest-client.key \
--cacert ./ca-root.cer \
"https://192.168.100.11"
- ダメな場合以下
* About to connect() to 192.168.100.11 port 443 (#0)
* Trying 192.168.100.11... connected
* Connected to 192.168.100.11 (192.168.100.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate from file
* subject: E=xxxxxxxxx@xxxxxxx,CN=xxx.xxxx.jp,OU=xxxxx,O=1000000001,O=example.com,ST=Tokyo,C=JP
* start date: 11月 30 23:43:16 2015 GMT
* expire date: 11月 25 23:43:16 2033 GMT
* common name: xxx@xxxx.jp
* issuer: E=xxxxxxxx@xxxxxxxx.jp,CN=example.com,OU=xxxxxxxxxx,O=xxxxxxxxxx,ST=xxxxx,C=JP
* NSS error -12192
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
mod_ssl 1.0.2 のビルド
openssl-1.0.2u.tar.gz のビルド
wget "https://ftp.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz"
tar xzf ~/openssl-1.0.2u.tar.gz
cd openssl-1.0.2u
# 他のオプション: enable-md2 enable-rc5 sctp zlib -fPIC
./config \
shared enable-ssl2 enable-ssl3 enable-md2 \
--prefix=/opt/openssl-1.0.2u
make -s
make install
httpd から mod_ssl.so をビルド
wget "http://vault.centos.org/6.10/os/Source/SPackages/httpd-2.2.15-69.el6.centos.src.rpm"
yum install -y rpm-build
yum install -y \
apr-devel apr-util-devel pcre-devel autoconf zlib-devel libselinux-devel openssl-devel
cd /opt
tar xzf /root/rpmbuild/SOURCES/httpd-2.2.15.tar.gz
./configure --prefix=/opt/httpd-2.2.15 \
--enable-ssl --with-ssl=/opt/openssl-1.0.2u \
--enable-mpms-shared=all --enable-mods-shared=all
make -s
make install
# /opt/httpd-2.2.15/modules/mod_ssl.so
- /etc/ld.so.conf.d/opt-openssl-1.0.2.conf
/opt/openssl-1.0.2u/lib
ldconfig
/etc/init.d/httpd restart
- ログに以下出力を確認
/var/log/httpd/default/error_log
Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.2u configured -- resuming normal operations
- Windows 7 (SP1 IE8で確認)のみ以下のようにTLSv1指定を明示的にしないと表示できなかった。
- (xp, 10では問題ない。)
SSLProtocol TLSv1
SSLChiperSuite
IE8対応
SSLCipherSuite ALL:!aNULL:!EXP:!MD5:!RC4:!LOW:+HIGH:+MEDIUM
個別指定
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
CentOS6 の openssl-1.0.1e を src.rpm でリビルドする場合
(以下は間違いかも。httpd-2.2.15のspec内でmod_sslをビルド出来ます。)
- openssl.spec
を編集して Configure オプションを渡す場合、以下に追記
rpmbuild -ba /root/rpmbuild/SPECS/openssl.spec