Updating to OpenSSL 0.9.7d, OpenSSH 3.8.1p1 and Apache 2.0.49 on Redhat 8 First setup our environment: Before we get started we will be compiling into /usr/local/lib which is not the default library directory on Redhat. Edit /etc/ld.so.conf and put at the top of the file /usr/local/lib then as root run # ldconfig Now setup our LD_LIBRARY_CONFIG for configure (you want to add these to root's .profile) # LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/usr/X11R6/lib:/usr/lib/sane:/usr/kerberos/lib:/usr/lib/qt-3.0.5/lib:/usr/lib/qt2/lib:/usr/lib/wine:/usr/lib/mysql; export LD_LIBRARY_PATH # export LDFLAGS="-L/usr/local/lib -L/usr/lib -L/usr/X11R6/lib" # mkdir /build (if not already created) Now we need to remove old legacy rpms installed by Redhat if they exist: Notes: If rpm comnmand hangs you may have a corrupt rpm database. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=73097 Stop the Apache server: # /etc/init.d/httpd stop Stopping httpd: [ OK ] Copy the existing Apache configs # mkdir /save # cd /etc/httpd # find . -print -depth | cpio -pvdm /save Remove legacy Apache, MySQL and PHP (and their dependancies) rpm's: rpm -e mod_perl-1.99_07-5 rpm -e mod_python-3.0.1-3 rpm -e mod_ssl-2.0.43-2 rpm -e mod_auth_mysql-1.11-12 rpm -e mod_auth_pgsql-0.9.12-14 rpm -e wordtrans-web-1.1pre12-7 rpm -e php-imap-4.2.2-17.2 rpm -e php-ldap-4.2.2-17.2 rpm -e php-manual-4.2.2-17.2 rpm -e php-mysql-4.2.2-17.2 rpm -e php-odbc-4.2.2-17.2 rpm -e php-pgsql-4.2.2-17.2 rpm -e php-snmp-4.2.2-17.2 rpm -e squirrelmail-1.2.11-1 rpm -e php-devel-4.2.2-17.2 rpm -e php-4.2.2-17.2 rpm -e redhat-config-httpd-1.0.1-18 rpm -e webalizer-2.01_10-11 rpm -e htdig-web-3.2.0-16.20021103 rpm -e nut-cgi-1.2.0-6 rpm -e namazu-cgi-2.0.12-5 rpm -e mailman-2.1.1-4 rpm -e mailman-2.0.13-3 rpm -e php-dbg-client-2.10-6 rpm -e php-dbg-server-2.10pl3-6 rpm -e php-manual-4.2.2-8.0.5 rpm -e php-imap-4.2.2-8.0.5 rpm -e asp2php-gtk-0.76.2-3 rpm -e php-devel-4.2.2-8.0.5 rpm -e php-odbc-4.2.2-8.0.5 rpm -e php-ldap-4.2.2-8.0.5 rpm -e php-dbg-client-2.10-6 rpm -e php-pgsql-4.2.2-8.0.5 rpm -e php-snmp-4.2.2-8.0.5 rpm -e asp2php-0.76.2-3 rpm -e php-dbg-base-2.10-4 rpm -e php-mysql-4.2.2-8.0.5 rpm -e squirrelmail-1.2.7-4 rpm -e php-4.2.2-8.0.5 rpm -e namazu-cgi-2.0.10-8 rpm -e nut-cgi-0.45.4-5 rpm -e mod_perl-1.99_05-3 rpm -e mod_python-3.0.0-10 rpm -e mod_auth_pgsql-0.9.12-11 rpm -e MyODBC-2.50.39-7 rpm -e httpd-manual-2.0.40-8 rpm -e redhat-config-httpd-1.0.1-13 rpm -e httpd-devel-2.0.40-8 rpm -e httpd-2.0.40-8 rpm -e mod_auth_mysql-1.11-10 rpm -e qt-MySQL-3.0.5-17 rpm -e libdbi-dbd-mysql-0.6.5-2 rpm -e mysql-devel-3.23.52-3 rpm -e perl-DBD-MySQL-2.1017-3 MySQL-python-0.9.1-4 mysql-server-3.23.52-3 mysql-3.23.52-3 Build zlib first: # cd /build/zlib-1.1.4 # cp Makefile Makefile.orig Edit Makefile that comes with zlib and change the line: CC=cc to CC=gcc # make # make test hello world uncompress(): hello, hello! gzread(): hello, hello! gzgets() after gzseek: hello! inflate(): hello, hello! large_inflate(): OK after inflateSync(): hello, hello! inflate with dictionary: hello, hello! *** zlib test OK *** # make install Compile OpenSSL Grab the source from http://www.openssl.org/source/openssl-0.9.7d.tar.gz or http://www.csse.monash.edu.au/~debbiep/palm/update-episodes/ http://ws.harcourt.com/pub/soft/src/openssl-0.9.7d.tar.gz and save it into /build/openssl-0.9.7d.tar.gz uncompress and untar # cd /build/openssl-0.9.7d # ./config --prefix=/usr/local --openssldir=/usr/local/openssl shared # make # make test # make install # echo "/usr/local/openssl/lib" >> /etc/ld.so.conf # ldconfig # openssl version OpenSSL 0.9.7d 17 Mar 2004 Build OpenSSH First create the priv. speration dir: # mkdir -p /var/chroot/sshd # chown root:root /var/chroot # chown root:root /var/chroot/sshd # chmod 700 /var/chroot/sshd Create the Privilege separation user sshd: # userdel sshd # groupdel sshd # groupadd -g 5101 sshd # useradd -d /var/chroot/sshd -g sshd -u 5101 -m sshd # chown root /var/chroot/sshd # chgrp root /var/chroot/sshd Verify # id sshd uid=5101(sshd) gid=5101(sshd) groups=5101(sshd) Build OpenSSH # cd /build/openssh-3.8.1p1 # ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --with-ssl-dir=/build/openssl-0.9.7d --with-privsep-user=sshd --with-privsep-path=/var/chroot/sshd OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/chroot/sshd sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/build/openssl-0.9.7d/include Linker flags: -L/build/openssl-0.9.7d -L/usr/local/lib -L/usr/lib -L/usr/X11R6/lib Libraries: -lresolv -lcrypto -lutil -lz -lnsl -lcrypt # make # make install Verify the installation is good: # ssh -V OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 Generate the keys if they do not already exists: # ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N "" # ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" # ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N "" Now build Apache: # cd /build/httpd-2.0.49 # export SSL_BASE=/usr/local/openssl # LIBS="-lpthread"; export LIBS # LDFLAGS="-lpthread"; export LDFLAGS # unset CFLAGS # ./configure --prefix=/usr/local/httpd \ --enable-ssl --with-ssl=/usr/local/openssl \ --enable-so \ --enable-mods-shared=all \ --enable-access=shared --enable-auth=shared --enable-auth_anon=shared \ --enable-auth_dbm=shared --enable-auth_digest=shared --enable-include=shared \ --enable-log_config=shared --enable-env=shared --enable-mime_magic=shared \ --enable-cern_meta=shared --enable-expires=shared --enable-headers=shared \ --enable-usertrack=shared --enable-unique_id=shared --enable-setenvif=shared \ --enable-mime=shared --enable-dav=shared --enable-status=shared \ --enable-autoindex=shared --enable-asis=shared --enable-info=shared \ --enable-cgi=shared --enable-dav_fs=shared --enable-vhost_alias=shared \ --enable-negotiation=shared --enable-dir=shared --enable-imap=shared \ --enable-actions=shared --enable-speling=shared --enable-userdir=shared \ --enable-alias=shared --enable-rewrite=shared --enable-proxy=shared \ --enable-proxy_ftp=shared --enable-proxy_http=shared \ --enable-proxy_connect=shared --enable-rule=SHARED_CORE \ --verbose # make # make install Shutdown the old Apache: # /etc/init.d/httpd stop Finally fixup Apache: # mkdir -p /var/run/httpd # chown apache:apache /var/run/httpd # chmod 755 /var/run/httpd # mkdir /usr/local/httpd/conf.d # cp /usr/local/httpd/conf/httpd.conf /usr/local/httpd/conf/httpd.conf.orig Move the ssl include file to conf.d: # mv /usr/local/httpd/conf/ssl.conf /usr/local/httpd/conf.d/ssl.conf Edit /usr/local/httpd/conf/httpd.conf Change the line: ServerAdmin you@your.address to ServerAdmin nicadmin@harcourt.com and the line: #ServerName new.host.name:80 to ServerName my.host.com:80 or similiar and the lines: User nobody Group #-1 to User apache Group apache Add the below lines underneath the Listen statement: # Load config files from the config directory "/usr/local/httpd/conf.d". # Include /usr/local/httpd/conf.d/*.conf Change the PidFile line to: PidFile /var/run/httpd/httpd.pid Comment out the original ssl include lines: # # Include conf/ssl.conf # or # #LoadModule ssl_module modules/mod_ssl.so # Save and exit. Edit the ssl.conf file /usr/local/httpd/conf.d/ssl.conf and add the following line near the top above all other statements: LoadModule ssl_module modules/mod_ssl.so Remove the lines: and Comment out the following lines since we are using virtual hosting: # SSL Engine Switch: # Enable/Disable SSL for this virtual host. #SSLEngine on and # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) #SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server.crt #SSLCertificateFile /usr/local/httpd/conf/ssl.crt/server-dsa.crt and # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/server.key and # and # Save and exit. Try to start the server again: # /usr/local/httpd/bin/apachectl startssl # ps -ef | grep http nobody 17474 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start root 17470 1 14 19:28:25 ? 0:03 /usr/local/httpd/bin/httpd -k start nobody 17475 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start nobody 17471 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start nobody 17473 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start nobody 17472 17470 0 19:28:28 ? 0:00 /usr/local/httpd/bin/httpd -k start Now update the init script: # mv /etc/init.d/httpd /etc/init.d/httpd.orig_redhat Create the file /etc/init.d/httpd with the following lines: #!/bin/bash # # Startup script for the Apache Web Server # # chkconfig: - 85 15 # description: Apache is a World Wide Web server. It is used to serve \ # HTML files and CGI. # processname: httpd # pidfile: /var/run/httpd/httpd.pid # config: /usr/local/httpd/conf/httpd.conf # Source function library. . /etc/rc.d/init.d/functions if [ -f /etc/sysconfig/httpd ]; then . /etc/sysconfig/httpd fi # This will prevent initlog from swallowing up a pass-phrase prompt if # mod_ssl needs a pass-phrase from the user. INITLOG_ARGS="" # Path to the apachectl script, server binary, and short-form for messages. apachectl=/usr/local/httpd/bin/apachectl httpd=/usr/local/httpd/bin/httpd prog=httpd RETVAL=0 # check for 1.3 configuration check13 () { CONFFILE=/usr/local/httpd/conf/httpd.conf GONE="(ServerType|BindAddress|Port|AddModule|ClearModuleList|" GONE="${GONE}AgentLog|RefererLog|RefererIgnore|FancyIndexing|" GONE="${GONE}AccessConfig|ResourceConfig)" if grep -Eiq "^[[:space:]]*($GONE)" $CONFFILE; then echo echo 1>&2 " Apache 1.3 configuration directives found" echo 1>&2 " please read /usr/share/doc/httpd-2.0.40/migration.html" failure "Apache 1.3 config directives test" echo exit 1 fi } # The semantics of these two functions differ from the way apachectl does # things -- attempting to start while running is a failure, and shutdown # when not running is also a failure. So we just do it the way init scripts # are expected to behave here. start() { echo -n $"Starting $prog: " check13 || exit 1 daemon $httpd $OPTIONS RETVAL=$? echo [ $RETVAL = 0 ] && touch /var/lock/subsys/httpd return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc $httpd RETVAL=$? echo [ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd /var/run/httpd/httpd.pid } reload() { echo -n $"Reloading $prog: " check13 || exit 1 killproc $httpd -HUP RETVAL=$? echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) status $httpd RETVAL=$? ;; restart) stop start ;; condrestart) if [ -f /var/run/httpd/httpd.pid ] ; then stop start fi ;; reload) reload ;; graceful|help|configtest|fullstatus) $apachectl $@ RETVAL=$? ;; *) echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}" exit 1 esac exit $RETVAL Save and exit. # chmod +x /etc/init.d/httpd # chkconfig --add httpd # chkconfig --level 1 httpd off # chkconfig --level 2 httpd off # chkconfig --level 3 httpd on