一、Apache TLS 1.0 升级 TLS 1.2 总结。

1、最初版本 
   A )  OpenSSL 0.9.8e-fips-rhel5
       -bash-3.2$ openssl version -a
       OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
       built on: Wed Jan 18 10:10:45 EST 2012
       platform: linux-x86_64
       options:  bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) blowfish(ptr2) 
       compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -       
       I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -  q 
       fexceptions -
       fstack-
       protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-
       aliasing -
       DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
       OPENSSLDIR: "/etc/pki/tls"
       engines:  dynamic 
       
  B ) Apache 版本
       [root@mtest conf]# /usr/local/apache3/bin/apachectl -version -f /usr/local/apache3/conf/httpd.conf
       Server version: Apache/2.2.26 (Unix)
       Server built:   Nov 15 2016 15:50:10
       
  C ) 下载 最新版本的openssl and compile (官方描述只有1.0以上版本才支
       TLS1.2,http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol)
      1、wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
      2、tar解压 cd 到 openssl 目录下编译
      3、./config  --prefix=/usr/local/openssl --openssldir=/usr/local/ssl "(注意：不需要替换之前版本的openssl 文件，放到新的目录 避免发生不可预料的问题。)"
      
      4、检查版本
         [root@mtest conf]# openssl.bak version
         OpenSSL 1.0.1g 7 Apr 2014
         
   D ) 重新编译Apache  
       cd 到 apache 目录下执行如下命令：
       1、./configure --prefix=/usr/local/apache3 --enable-so  --enable-proxy --enable-proxy-connect --enable-proxy-http --            enable- proxy-scgi --enable-proxy-ajp --enable-proxy-balancer --enable-rewrite --enable-ssl --with- 
       ssl=/usr/local/openssl/ --enable-cgi --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util/
       2、make
       3、make install
       
   E ) 通过openssl 生成证书（认证流程：通过openssl 会生成一个service.key文件，通过service.key文件可以生成service.crt文件，crt文件会上送到         证书公司申请ca证书认证）"注意：如果自己之前有证书 并且通过第三方公司认证是支持TLS 1.2的 直接拿service.key service.crt当相对路径，再通过
       httpd-ssl-conf 配置即可，以下生成的key crt 用于测试 。"
        1、cd 到 /usr/local/apache3/conf 目录
        2、执行：/usr/local/openssl/bin/openssl genrsa -out server.key 2048
        3、执行：/usr/local/openssl/bin/openssl req -new -key server.key -out server.csr
        
               You are about to be asked to enter information that will be incorporated
               into your certificate request.
               What you are about to enter is what is called a Distinguished Name or a DN.
               There are quite a few fields but you can leave some blank
               For some fields there will be a default value,
               If you enter '.', the field will be left blank.
               -----
               Country Name (2 letter code) [AU]:CH
               State or Province Name (full name) [Some-State]:china
               Locality Name (eg, city) []:rebby
               Organization Name (eg, company) [Internet Widgits Pty Ltd]:rebby
               Organizational Unit Name (eg, section) []:rebby
               Common Name (e.g. server FQDN or YOUR name) []:mtest.xxx.com "注意：输入域名地址"
               Email Address []:haihua@163.com

               Please enter the following 'extra' attributes
               to be sent with your certificate request
               A challenge password []:   "注意：密码直接不要输入 回车。"
               An optional company name []:rebby
        4、执行： /usr/local/openssl/bin/openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
               
               Signature ok
               subject=/C=CH/ST=china/L=rebby/O=rebby/OU=rebby/CN=mtest.xxx.com/emailAddress=haihua@163.com
               Getting Private key
               
    F ) 更改配置
        1、vim /usr/local/apache3/conf/httpd.conf 
            #Include conf/extra/httpd-ssl.conf "注意：找到这行把 注释去掉 "
        2、vim /usr/local/apache3/conf/extra/httpd-ssl.conf "注意：配置你自己的域名映射 即可"
           <VirtualHost _default_:443>
           ServerName mtest.xxx.com
           ProxyPass /          http://xx.xx.xxx.11:7001/MBSServer/
           ProxyPassReverse  /          http://xx.0.223.11:7001/MBSServer/
               
    G ) 启动Apache 
        1、[root@mtest bin]# /usr/local/apache3/bin/apachectl start "注意：执行的时候可能导致文件找不到，我们可以换种方式执行。"
           httpd: Could not open configuration file /usr/local/apache/conf/httpd.conf: No such file or directory
        2、 执行： /usr/local/apache3/bin/apachectl -k stop -f /usr/local/apache3/conf/httpd.conf
           [root@mtest bin]# ps -ef | grep apache
           root     24885     1  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24886 24885  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24887 24885  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24888 24885  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24889 24885  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24890 24885  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24891 24885  0 16:15 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           daemon   24896 24885  0 16:17 ?        00:00:00 /usr/local/apache3/bin/httpd -k start -f /usr/local/apache3/conf/httpd.conf
           root     25302  7428  0 18:54 pts/2    00:00:00 grep apache "注意：可以看的出进程已经启动了。"
           
        3、测试 google浏览器测试 F12 --> Security 如下所示：可以看出已经支持TLS 1.2了 ，也可以通过第三方网站测试（https://www.ssllabs.com/ssltest/）
        
        The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange      
        (ECDHE_RSA), and a strong cipher (AES_128_GCM).
        
        编译了很多次遇到很多问题，最终上面这个版本编译成功。过程中遇到的问题如下所示：
        
        Cannot load /usr/local/apache/modules/mod_ssl.so into server: /usr/local/apache/modules/mod_ssl.so: undefined symbol: 
        EC_KEY_free 
        "注意：编译成功后启动提示 mod_ssl.so已经被内置加载，不需要重新加载wiki有各种解释，不要纠结重新编译。"
        
        configure: error: ... Error, SSL/TLS libraries were missing or unusable 
        "通过如下命令解决：export LDFLAGS=-ldl"
        
        Syntax error on line 56 of /usr/local/apache/conf/extra/httpd-ssl.conf:
        Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module not included in the server   
        configuration
        "注意：没去纠结重新编译Apache"
        
        undefined symbol: ssl_cmd_SSLMutex 
        "解决方法：/usr/local/apache/bin/apxs -i -c -a -D HAVE_OPENSSL=1 -I /usr/include/openssl *.c"
        
        undefined symbol: X509_INFO_free 
        "解决方法：undefined symbol: X509_INFO_free"
        
        mod_ssl.so: undefined symbol: EC_KEY_free "注意：没去纠结，重新编译。 "
        
        
        一些Apache 命令使用：
        
          /usr/local/apache3/bin/apachectl -k stop -f /usr/local/apache3/conf/httpd.conf 停止

          /usr/local/apache3/bin/apachectl -k start -f /usr/local/apache3/conf/httpd.conf 启动

          /usr/local/apache3/bin/apachectl -k configtest -f /usr/local/apache3/conf/httpd.conf 检查所有配置文件是否有问题

          cat /usr/local/apache3/build/config.nice 查看Apache 加载的内置模板

          /usr/local/apache/bin/apxs -c -i mod_ssl.c 重新编译Apache 某个源文件到modules目录
Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

一、Apache TLS 1.0 升级 TLS 1.2 总结。

Files

README.md

Latest commit

History

README.md

File metadata and controls

一、Apache TLS 1.0 升级 TLS 1.2 总结 。

一、Apache TLS 1.0 升级 TLS 1.2 总结。
