OpenSSL 1.0.2u の mod_ssl.so を作る (httpd-2.2.15) #CentOS

CentOS6 や CentOS7 で OpenSSL 0.9.8 の mod_ssl.soを使う - Qiitaの続き

CentOS 6 の mod_ssl はココ

http://mirror.centos.org/centos/6/os/x86_64/Packages/mod_ssl-2.2.15-69.el6.centos.x86_64.rpm
- /usr/lib64/httpd/modules/mod_ssl.so

curl テスト

XPの暗号スイートで接続できるかのテスト

curl \
 -v \
 --insecure \
 --tlsv1 --ciphers rsa_3des_sha \
 --cert ./guest-client.cer \
 --key ./guest-client.key \
 --cacert ./ca-root.cer  \
 "https://192.168.100.11"

ダメな場合以下

* About to connect() to 192.168.100.11 port 443 (#0)
*   Trying 192.168.100.11... connected
* Connected to 192.168.100.11 (192.168.100.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate from file
*   subject: E=xxxxxxxxx@xxxxxxx,CN=xxx.xxxx.jp,OU=xxxxx,O=1000000001,O=example.com,ST=Tokyo,C=JP
*   start date: 11月 30 23:43:16 2015 GMT
*   expire date: 11月 25 23:43:16 2033 GMT
*   common name: xxx@xxxx.jp
*   issuer: E=xxxxxxxx@xxxxxxxx.jp,CN=example.com,OU=xxxxxxxxxx,O=xxxxxxxxxx,ST=xxxxx,C=JP
* NSS error -12192
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

mod_ssl 1.0.2 のビルド

openssl-1.0.2u.tar.gz のビルド

wget "https://ftp.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz"
tar xzf ~/openssl-1.0.2u.tar.gz
cd openssl-1.0.2u

# 他のオプション: enable-md2 enable-rc5 sctp zlib -fPIC

./config \
 shared enable-ssl2 enable-ssl3 enable-md2 \
 --prefix=/opt/openssl-1.0.2u

make -s
make install

httpd から mod_ssl.so をビルド

wget "http://vault.centos.org/6.10/os/Source/SPackages/httpd-2.2.15-69.el6.centos.src.rpm"
yum install -y rpm-build
yum install -y \
 apr-devel apr-util-devel pcre-devel autoconf zlib-devel libselinux-devel openssl-devel

cd /opt
tar xzf  /root/rpmbuild/SOURCES/httpd-2.2.15.tar.gz

./configure --prefix=/opt/httpd-2.2.15 \
 --enable-ssl --with-ssl=/opt/openssl-1.0.2u \
 --enable-mpms-shared=all --enable-mods-shared=all

make -s
make install

# /opt/httpd-2.2.15/modules/mod_ssl.so

/etc/ld.so.conf.d/opt-openssl-1.0.2.conf

/opt/openssl-1.0.2u/lib

ldconfig

/etc/init.d/httpd restart

ログに以下出力を確認

/var/log/httpd/default/error_log

Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.2u configured -- resuming normal operations

Windows 7 (SP1 IE8で確認)のみ以下のようにTLSv1指定を明示的にしないと表示できなかった。
- (xp,　10では問題ない。)

SSLProtocol TLSv1

SSLChiperSuite

https://def-4.com/letsencrypt-apache-xp-ie8/

IE8対応

SSLCipherSuite ALL:!aNULL:!EXP:!MD5:!RC4:!LOW:+HIGH:+MEDIUM

個別指定

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

CentOS6 の openssl-1.0.1e を src.rpm でリビルドする場合

openssl.spec

を編集して Configure オプションを渡す場合、以下に追記

rpmbuild -ba /root/rpmbuild/SPECS/openssl.spec