Bug 55834

Summary: Apache does not honor the openssl library path given by --with-ssl during compile
Product: Apache httpd-2 Reporter: Igor Cicimov <icicimov>
Component: BuildAssignee: Apache HTTPD Bugs Mailing List <bugs>
Severity: major Keywords: MassUpdate
Priority: P2    
Version: 2.2.26   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Igor Cicimov 2013-12-02 01:43:05 UTC
Hi all,

I've been trying to compile apache2.2.26 on two separate CentOS boxes, one with CentOS-5.6 and one with CentOS-5.10 final. The compile process failed on both of them with the following error message at the point of compiling the apache tools:

/home/igorc/httpd-2.2.26/srclib/apr/libtool --silent --mode=link gcc -g -O2 -pthread     -L/usr/lib64  -L/opt/openssl/lib -o ab  ab.lo   -lm /home/igorc/httpd-2.2.26/srclib/pcre/libpcre.la /home/igorc/httpd-2.2.26/srclib/apr-util/libaprutil-1.la -lexpat /home/igorc/httpd-2.2.26/srclib/apr/libapr-1.la -luuid -lrt -lcrypt -lpthread -ldl -lssl -lcrypto
.libs/ab.o: In function `main':
/home/igorc/httpd-2.2.26/support/ab.c:2241: undefined reference to `TLSv1_2_client_method'
/home/igorc/httpd-2.2.26/support/ab.c:2239: undefined reference to `TLSv1_1_client_method'
collect2: ld returned 1 exit status
make[2]: *** [ab] Error 1
make[2]: Leaving directory `/home/igorc/httpd-2.2.26/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/igorc/httpd-2.2.26/support'
make: *** [all-recursive] Error 1

The exact config command I used is as follows:

./configure LDFLAGS="-L/opt/openssl/lib" --prefix=/usr/local/apache2-2.2.26 --with-mpm=worker --with-included-apr --enable-info --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-proxy-balancer --enable-rewrite --enable-headers --enable-cache --enable-mem-cache --enable-disk-cache --enable-expires --enable-dav --enable-deflate --enable-ssl --with-ssl=/opt/openssl --with-ldap=ldap --with-ldap-lib=/usr/lib64 --with-ldap-include=/usr/include --enable-ldap --enable-authnz-ldap --enable-mods-shared="all ldap authnz_ldap proxy proxy-http proxy-ftp proxy-balancer deflate info rewrite headers expires authn_alias cache mem_cache disk_cache file_cache charset_lite dav dav_lock ssl"

pointing apache compiler to the appropriate custom install of openss-1.0.1e libraries under /opt/openssl. The config used for openssl compile was:

./Configure --prefix=/opt/openssl enable-tlsext linux-x86_64 threads zlib enable-idea enable-rc5 enable-mdc2 enable-ec enable-ecdh enable-ecdsa shared

$ ls -lR /opt/openssl/lib/
total 7060
drwxr-xr-x 2 root root    4096 Dec  2 12:00 engines
-rw-r--r-- 1 root root 3858364 Dec  2 12:00 libcrypto.a
lrwxrwxrwx 1 root root      18 Dec  2 12:00 libcrypto.so -> libcrypto.so.1.0.0
-r-xr-xr-x 1 root root 2145661 Dec  2 12:00 libcrypto.so.1.0.0
-rw-r--r-- 1 root root  729410 Dec  2 12:00 libssl.a
lrwxrwxrwx 1 root root      15 Dec  2 12:00 libssl.so -> libssl.so.1.0.0
-r-xr-xr-x 1 root root  463549 Dec  2 12:00 libssl.so.1.0.0
drwxr-xr-x 2 root root    4096 Dec  2 12:00 pkgconfig

total 352
-r-xr-xr-x 1 root root  23714 Dec  2 12:00 lib4758cca.so
-r-xr-xr-x 1 root root  25611 Dec  2 12:00 libaep.so
-r-xr-xr-x 1 root root  18601 Dec  2 12:00 libatalla.so
-r-xr-xr-x 1 root root   5866 Dec  2 12:00 libcapi.so
-r-xr-xr-x 1 root root  32035 Dec  2 12:00 libchil.so
-r-xr-xr-x 1 root root  26300 Dec  2 12:00 libcswift.so
-r-xr-xr-x 1 root root   5865 Dec  2 12:00 libgmp.so
-r-xr-xr-x 1 root root 115028 Dec  2 12:00 libgost.so
-r-xr-xr-x 1 root root  16168 Dec  2 12:00 libnuron.so
-r-xr-xr-x 1 root root   5869 Dec  2 12:00 libpadlock.so
-r-xr-xr-x 1 root root  31966 Dec  2 12:00 libsureware.so
-r-xr-xr-x 1 root root  26114 Dec  2 12:00 libubsec.so

total 12
-rw-r--r-- 1 root root 266 Dec  2 12:00 libcrypto.pc
-rw-r--r-- 1 root root 281 Dec  2 12:00 libssl.pc
-rw-r--r-- 1 root root 291 Dec  2 12:00 openssl.pc

$ /opt/openssl/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

Additionally to this I have set my $PATH and $LD_LIBRARY_PATH to point to this location as well in the shell terminal I ran the compile from:

$ export PATH=/opt/openssl/bin:$PATH
$ export LD_LIBRARY_PATH=/opt/openssl/lib:$LD_LIBRARY_PATH

and on top of that I've put /opt/openssl/lib in /etc/ld.so.conf file and ran ldconfig.

My guess the problem is that during the compile time the order of the libraries as given just before the error "-L/usr/lib64  -L/opt/openssl/lib" makes the compiler to pick up the wrong version of openssl.

My understanding is that apache should look for ssl libraries only in the path given by "--with-ssl" switch but that is not the case here.

# lsb_release -a
LSB Version:	:core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID:	CentOS
Description:	CentOS release 5.6 (Final)
Release:	5.6
Codename:	Final

# gcc -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --disable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj- --with-cpu=generic --host=x86_64-redhat-linux
Thread model: posix
gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)

Please let me know if any more info needed.

Comment 1 Igor Cicimov 2013-12-02 02:04:37 UTC
$ libtool --version
ltmain.sh (GNU libtool) 1.5.22 (1.1220.2.365 2005/12/18 22:14:06)

Copyright (C) 2005  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
Comment 2 Igor Cicimov 2013-12-02 04:27:29 UTC
Ok, the problem was obviously with apache apr/libtoll which probably comes with some hard coded library paths in libtool.

The solution, omit the "--with-included-apr" from your configure options to by-pass the apache apr and use the system provided one. After that apache builds and installs fine. 

Additionally, you need to include the openssl library path into $LD_LIBRARY_PATH of the user that is starting apache so for me I put:

export LD_LIBRARY_PATH=/opt/openssl/lib:$LD_LIBRARY_PATH

in the /root/.bashrc for the root user.

Just as confirmation, here it is up and running:

[Mon Dec 02 15:08:27 2013] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 02 15:08:27 2013] [notice] Digest: generating secret for digest authentication ...
[Mon Dec 02 15:08:27 2013] [notice] Digest: done
[Mon Dec 02 15:08:28 2013] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Dec 02 15:08:28 2013] [warn] pid file /usr/local/apache2-2.2.26/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Mon Dec 02 15:08:28 2013] [notice] Apache/2.2.26 (Unix) DAV/2 mod_ssl/2.2.26 OpenSSL/1.0.1e configured -- resuming normal operations
Comment 3 William A. Rowe Jr. 2018-11-07 21:09:27 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.