Apache – Custom OpenSSL engine when running within Apache via mod_ssl

apache-httpdopenssl

I modified my openssl.cnf to specify a custom engine for some operations. It works fine if I go through the openssl binary directly, but if I load libssl from another program it doesn't seem to use that configuration file at all, so my engine isn't available. I ultimately want the engine to be usable from Apache via mod_ssl. I think I can use the SSLCryptoDevice Apache configuration directive to specify which engine to use, but since it's not reading my OpenSSL configuration, it's not loading my custom engine, so it's not available for use. Is there some way to tell OpenSSL (either directly or, probably, through Apache) to load my engine?

Best Answer

Figured it out. If you build mod_ssl with -DOPENSSL_LOAD_CONF, it will load the configuration file the same as the openssl binary (I assume the binary is built with the same flag)

Related Solutions

How to Get TLSv1.2 Support in Apache on RHEL6/CentOS/SL6

I've written a quick guide on backporting the OpenSSL 1.0.1 RPM from Fedora Core to support RHEL6 and variants by replacing the bundled 1.0.0 version to add TLSv1.2 and ECC support. Built and tested against CentOS 6.4 in September of 2013:

Guide to OpenSSL 1.0.1 RPM for CentOS 6

Please note: That's the place where I keep my own copy of OpenSSL and OpenSSH up-to-date. Improvements in CentOS 6.5 have largely mitigated the demand for TLS1.2 and flaws like Heartbleed are addressed there, while this answer will forever be stuck in 2013. Don't follow the steps below verbatim, it is imperative you run 1.0.1g or newer.

Now with github: github/ptudor/centos6-openssl

I've made a patch available that I will reference in this guide: openssl-spec-patricktudor-latest.diff

First, prepare your build environment. (If you've installed EPEL, use mock. Keeping it simple here...)

yum -y groupinstall "Development tools" 
yum -y install rpm-build zlib-devel krb5-devel
mkdir -p $HOME/redhat/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo "%_topdir $HOME/redhat/" > ~/.rpmmacros

Next, grab the Fedora Core 20 SRPM for OpenSSL and the full OpenSSL source.

rpm -Uvh http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/source/SRPMS/o/openssl-1.0.1e-42.fc21.src.rpm
cd ~/redhat/SOURCES/
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz.sha1
openssl dgst -sha1 openssl-1.0.1g.tar.gz ; cat openssl-1.0.1g.tar.gz.sha1

Now apply the old secure_getenv syntax and apply the patch:

cd ~/redhat/SOURCES/
sed -i -e "s/secure_getenv/__secure_getenv/g" openssl-1.0.1e-env-zlib.patch
cd ~/redhat/SPECS/
wget http://www.ptudor.net/linux/openssl/resources/openssl-spec-patricktudor-fc20-19.diff
patch -p1 < openssl-spec-patricktudor-latest.diff

Run the build:

time rpmbuild -ba openssl.spec

Everything went well hopefully, so let's install the new RPMs:

cd ~/redhat/RPMS/x86_64/
sudo rpm -Fvh openssl-1.0.1g-*.rpm openssl-libs-1.0.1g-*.rpm openssl-devel-1.0.1g-*.rpm

Make sure it actually worked:

openssl ciphers -v 'TLSv1.2' | head -4

The link above at my website has more details but this should be a good starting point.

Thanks, enjoy.

20130819: Rawhide revision bumped from 14 to 15.

20130831: fc20 revision bumped from 15 to 18.

20130906: fc20 revision bumped from 18 to 19.

20140408: just go to my website for anything after 1.0.1g.

Apache – Multiple DH/ECDH parameters in Apache 2.4.7 configuration file

There's no way to do it for non-EC DH.

For ECDH:

SSLOpenSSLConfCmd ECDHParameters prime256v1
SSLOpenSSLConfCmd Curves brainpoolP512r1:secp521r1:brainpoolP384r1:secp384r1:brainpoolP256r1:prime256v1

Best Answer

Related Solutions

How to Get TLSv1.2 Support in Apache on RHEL6/CentOS/SL6

Apache – Multiple DH/ECDH parameters in Apache 2.4.7 configuration file

Related Question