CODEWITHSUNDEEP
apacheopensslmod-sslopenssl-engine
Dani Grosu
Dani Grosu

Reputation: 554

Configure Apache server to use specific OpenSSL Engine

I have a working OpenSSL RSA engine (i.e. a .so file) and an Apache server configured in SSL mode.
How can I make Apache use RSA implementation from my RSA engine? In other words: Where do I put the engine (.so file), how do I modify the openssl.cnf file and how do I build the Apache?

Upvotes: 1

Views: 10162

Answers (2)

Dani Grosu
Dani Grosu

Reputation: 554

Steps that worked for me:

1.Install OpenSSL from sources, specifying -DOPENSSL_LOAD_CONF when running ./config
1.1.Create/build your OpenSSL engine and add it to your openssl.cnf file
2.Install httpd from sources, using these commands:

CFLAGS='-DSSL_EXPERIMENTAL_ENGINE -DSSL_ENGINE -DOPENSSL_LOAD_CONF' ./configure --enable-ssl --with-ssl=/usr/local/ssl --with-pcre=/usr/local/pcre --enable-so      
make       
make install

2.1.Edit httpd-ssl.conf by adding SSLCryptoDevice engine_id and make sure that when execute $ openssl engine, the engine_id specifier appears on the list. Also, you have to create self-signed cerificate and private key, modify the httpd.conf file, but this is not the subject of this question. Search: how to configure HTTPS on Apache.
3.$ httpd -k restart and that is all.

EDIT
The place of .so file (Openssl ENGINE) must be specified in openssl.cnf.

Upvotes: 0

Barry Pollard
Barry Pollard

Reputation: 46070

For a start I don't fully understand your question. I presume you mean you've a version of OpenSSL installed on your system that Apache is using and you want to use a different (presumably later version) that you've also downloaded and installed?

It really depends which platform (Windows or Linux), how you installed Apache (pre-installed on system, through a package manager like yum or apt-get, or manually installed from source).

Prebuilt packages like those in Windows installs and package managers tend to use the system default SSL library and aren't the easiest to change (though I'm not familiar enough with them all to be honest).

So the easiest way to do this is to install Apache from source code rather than from a prebuilt package.

You normally need to set this at compile time , after downloading the source, using the --with-ssl option to configure before using make to build your code: 

./configure --with-ssl=/usr/local/ssl --enable-ssl --enable-so

If you've not installed from source before then this can be a bit intimidating. I've given detailed instructions on a blog post here on HTTP2 on how to download and install the latest OpenSSL and Apache from source on linux: https://www.tunetheweb.com/performance/http2/ but there may be better options on your specific platform.

Upvotes: 2

Related Questions