« Deploying Forward Secrecy | Main | Configuring Apache, Nginx, and OpenSSL for Forward Secrecy »

Compiling Apache with static OpenSSL libraries

August 03, 2013

Back in 2004, when I was writing Apache Security, it was quite common to install Apache from source code, and I spent a lot of time documenting the process. When the stabilized most people stopped bothering with the source code and relied on the binaries provided by the operating system.

We're back into unstable territories. Today, to get the best SSL/TLS configuration you have to roll your sleeves and do everything the old way. For example, I have a couple of servers running Ubuntu 10.04 LTS; the OpenSSL version installed does not support TLS 1.2, and its Apache 2.2.x does not support the ECDHE suites (which are necessary for Forward Secrecy). If you're running an operating that originated at Red Hat, I hear that you don't get any Elliptic Curve crypto from the default binaries.

The easiest way to run Apache with a recent version of OpenSSL is to compile the crypto code statically, and install everything into a separate location. That way you achieve the goal, but you don't mess with the rest of the operating system.

First, you should get the desired version of OpenSSL and install it at a location where it will not interfere with your system version. I usually choose /opt for this purpose.

$ ./config \
    --prefix=/opt/openssl-1.0.1e \
$ make
$ sudo make install

Now, get the latest Apache 2.4.x, APR and APR-Util libraries. You will need to unpack all three packages into the same source tree, with the latter two in the location where Apache expects them. For example:

$ tar zxvf httpd-2.4.6.tar.gz
$ cd httpd-2.4.6/srclib/
$ tar zxvf ../../apr-1.4.8.tar.gz
$ ln -s apr-1.4.8/ apr
$ tar zxvf ../../apr-util-1.5.2.tar.gz
$ ln -s apr-util-1.5.2/ apr-util

You are now ready to configure and install Apache. The mod_ssl module will be compiled statically, with all other modules dynamically.

$ ./configure \
    --prefix=/opt/httpd \
    --with-included-apr \
    --enable-ssl \
    --with-ssl=/opt/openssl-1.0.1e \
    --enable-ssl-staticlib-deps \
$ make
$ sudo make install
MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.