On Wed, Nov 21, 2012 at 9:22 AM, securenamefirst securenamelast < [email protected]> wrote:
> Thanks Igor, > can i have 2 open ssl installations on same machine? > i have apache 2.2 using open ssl 0.9 serving current application requests. > i have requriment to transfer files over TLS1.1, hence need for open ssl > 1.0.1. seems an over kill to have a second webserver instance just to > transfer files, but i see it as only solution. > > Files can be done via ftps using something like mina apache ftp server - > probably same problem there to interms of open SSL 0.9. > On Tue, Nov 20, 2012 at 9:44 PM, Igor Cicimov <[email protected]> wrote: > >> On Wed, Nov 21, 2012 at 7:26 AM, securenamefirst securenamelast < >> [email protected]> wrote: >> >>> Hi, >>> i'm confused! >>> i read as part of the features list for Apache 2.2 >>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html >>> that >>> SSL_PROTOCOL string The SSL protocol version (SSLv2, SSLv3, TLSv1, >>> TLSv1.1, TLSv1.2) >>> >>> >>> however when i run the app using apache 2.2 i get following: >>> [Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix) DAV/2 >>> mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal >>> operations >>> >>> meaning i'm using apache 2.2 but with openssl 0.9 whcih according to >>> what i read only supports upto TLSv1.0 and not above. to get TLS 1.1 >>> apparently i need open ssl 1.0.1. >>> https://community.qualys.com/thread/2013 >>> >>> problem 1 - does apache 2.2 or 2.4 support TLS 1.1 or not? - >>> documentation says it does via the mod ssl. >>> >>> if yes then how do i get TLS1.1 working? i would appreaciate some >>> direction, app only way is to recompile with openssl 1.0 and that 2.2 does >>> not support TLSv1.1, >>> >>> thanks >>> >> >> Install open ssl 1.0.1 and recompile apache to use that one. >> > > Sure you can, this is how I compiled openssl on one redhat server couple of weeks ago: $ ./config --prefix=/usr/local *--openssldir=/usr/local/ssl* enable-tlsext shared $ sudo make && sudo make install so you can use different --openssldir every time you compile a new version, ie --openssldir=/usr/local/openssl-1.0.1c etc. and have several versions in parallel. Then compiled apache with the following command: $ *LDFLAGS=-L/usr/local/lib64 CPPFLAGS=-I/usr/local/include* ./configure --prefix=/usr/local/apache2 --with-mpm=worker --with-included-apr --enable-info --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-proxy-balancer --enable-rewrite --enable-headers --enable-cache --enable-mem-cache --enable-disk-cache --enable-expires --enable-mods-shared=all --enable-dav --enable-deflate *--enable-ssl=shared --with-ssl=/usr/local/ssl* to point apache to the 1.0.1c openssl and use that one in runtime.
