0
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

OpenSSL 1.0.2u の mod_ssl.so を作る (httpd-2.2.15)

Last updated at Posted at 2020-08-13

CentOS 6 の mod_ssl はココ

curl テスト

XPの暗号スイートで接続できるかのテスト
curl \
 -v \
 --insecure \
 --tlsv1 --ciphers rsa_3des_sha \
 --cert ./guest-client.cer \
 --key ./guest-client.key \
 --cacert ./ca-root.cer  \
 "https://192.168.100.11"
  • ダメな場合以下
* About to connect() to 192.168.100.11 port 443 (#0)
*   Trying 192.168.100.11... connected
* Connected to 192.168.100.11 (192.168.100.11) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate from file
* 	subject: E=xxxxxxxxx@xxxxxxx,CN=xxx.xxxx.jp,OU=xxxxx,O=1000000001,O=example.com,ST=Tokyo,C=JP
* 	start date: 11月 30 23:43:16 2015 GMT
* 	expire date: 11月 25 23:43:16 2033 GMT
* 	common name: xxx@xxxx.jp
* 	issuer: E=xxxxxxxx@xxxxxxxx.jp,CN=example.com,OU=xxxxxxxxxx,O=xxxxxxxxxx,ST=xxxxx,C=JP
* NSS error -12192
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

mod_ssl 1.0.2 のビルド

openssl-1.0.2u.tar.gz のビルド

wget "https://ftp.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz"
tar xzf ~/openssl-1.0.2u.tar.gz
cd openssl-1.0.2u

# 他のオプション: enable-md2 enable-rc5 sctp zlib -fPIC

./config \
 shared enable-ssl2 enable-ssl3 enable-md2 \
 --prefix=/opt/openssl-1.0.2u

make -s
make install

httpd から mod_ssl.so をビルド

wget "http://vault.centos.org/6.10/os/Source/SPackages/httpd-2.2.15-69.el6.centos.src.rpm"
yum install -y rpm-build
yum install -y \
 apr-devel apr-util-devel pcre-devel autoconf zlib-devel libselinux-devel openssl-devel

cd /opt
tar xzf  /root/rpmbuild/SOURCES/httpd-2.2.15.tar.gz

./configure --prefix=/opt/httpd-2.2.15 \
 --enable-ssl --with-ssl=/opt/openssl-1.0.2u \
 --enable-mpms-shared=all --enable-mods-shared=all

make -s
make install

# /opt/httpd-2.2.15/modules/mod_ssl.so
  • /etc/ld.so.conf.d/opt-openssl-1.0.2.conf
/opt/openssl-1.0.2u/lib

ldconfig

/etc/init.d/httpd restart
  • ログに以下出力を確認
/var/log/httpd/default/error_log
Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.2u configured -- resuming normal operations
  • Windows 7 (SP1 IE8で確認)のみ以下のようにTLSv1指定を明示的にしないと表示できなかった。
    • (xp, 10では問題ない。)
SSLProtocol TLSv1

SSLChiperSuite

IE8対応
SSLCipherSuite ALL:!aNULL:!EXP:!MD5:!RC4:!LOW:+HIGH:+MEDIUM
個別指定
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

CentOS6 の openssl-1.0.1e を src.rpm でリビルドする場合

(以下は間違いかも。httpd-2.2.15のspec内でmod_sslをビルド出来ます。)

  • openssl.spec

を編集して Configure オプションを渡す場合、以下に追記

キャプチャ.PNG

rpmbuild -ba /root/rpmbuild/SPECS/openssl.spec
0
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?