openssl 0.9.7h or 9.8a?

Discussion in 'Install/Configuration' started by joe, Nov 27, 2005.

  1. joe

    joe Member

    I'm building a new litespeed server from scratch and ran into a problem with openssl. Everytime I define a listener to be secured with a certificate the server fails to start, and no useful debuging info is logged under /conf/error.log; why?

    I know from the changelog that .9.7h is supported since 2.1.3, but I'm hoping I can go later with the sources?

    Stats:
    FreeBSD6.0
    litespped 2.1.6
    mysql 5.0.16
    php5.1.0 w/ this config:
    ./configure --enable-fastcgi --with-config-file-path=../conf --enable-discard-path --disable-path-info-check --with-mysql=/usr/local/bin/mysql --with-openssl=/usr/local/ssl

    openssl .9.8.a w/ straight
    ./config && make && make test && make

    I used the instructions from the howto to make a private key, and self signed cert. This worked flawless for me under freebsd 5.4 and openssl .9.7f I think.

    There were no build errors that I'm aware of, and the phpinfo shows it compiled fine

    Must I use .9.7h or what could be the problem?
  2. mistwang

    mistwang LiteSpeed Staff

    As the openssl library is statically linked into our lsws binary. I think the problem may not be the openssl 0.9.8a library. You can doulbe check this by using "ldd lshttpd".

    I think the problem might be the FreeBSD 6.0, our prebuilt openssl binary does not work properly together with 6.0, can you use freebsd 5.x?

    Best regards,
    George
  3. joe

    joe Member

    Here is that cmd result. I presume it shows everything in order?

    www# ldd lshttpd
    lshttpd:
    libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x281eb000)
    libm.so.2 => /usr/lib/libm.so.2 (0x28203000)
    libc.so.4 => /usr/lib/libc.so.4 (0x28219000)
    www#

    I can use freebsd 5.4, just wanted to try something shiney and new is all...

    Will you be updating this soon?
    btw: thanks for a quick reply!
  4. mistwang

    mistwang LiteSpeed Staff

    The result of ldd shows that lshttpd does not link to external OpenSSL library.

    I think we will not try FreeBSD 6.0 anytime soon, as 6.0 is too new to be used in production. :)
  5. joe

    joe Member

    Does this mean, so long as I have my certificate, it doesn't matter if/what version of openssl is installed?
  6. mistwang

    mistwang LiteSpeed Staff

    Yes, you don't need to install openssl library just for LSWS
  7. joe

    joe Member

    I see.

    Well thats both a blessing and a curse.

    Easier to manage now that I know I don't need openssl, and a curse in that if anything else such as the potential SSL 2.0 Rollback (CAN-2005-2969) http://www.openssl.org/news/secadv_20051011.txt comes out.

    I can avoid all this work by using freebsd 5.4 as you mentioned, but is it also possible to change those static links? :)
  8. mistwang

    mistwang LiteSpeed Staff

    No. :)
    We always try to publish new release to address the security issues ASAP.
  9. ianchov

    ianchov New Member

    I had the same...

    Hi!

    Did you managed to resolv the problem with FreeBSD 6.0 and lshttpd with OpenSSL

    Today i tried loading a listener with SSL keys and the server just didn`t start.
    ....
  10. mistwang

    mistwang LiteSpeed Staff

    LSWS has not been tested on FreeBSD 6.0 yet, it may not work at all.
    Can you use FreeBSD 5.x instead?
  11. ianchov

    ianchov New Member

    ...

    Nope...:(
    I`m just in the middle of configuring the server....
    I needed a Web Server and as usual i installed LiteSpeed....


    It worked flawlessly until i started the SSL listener.....


    DO you have som ideas?
  12. joe

    joe Member

    For the record,

    litespeed (all recent versions) works just fine under FreeBSD 6.0 for me, with the only exception of the SSL.
  13. ianchov

    ianchov New Member

    Yes, we know that..


    Here the question is how to make it working with SSL?



    ps. I tried stunnel and works but that isn`t the solution i need
  14. xing

    xing LiteSpeed Staff

    Joe/Ianchov,

    Are you guys using LiteSpeed via the Linux compatibility layer under FreeBSD 6.0? Or using the LiteSpeed FreeBSD packages? When I tried the FreeBSD packge under 6.0, LiteSpeed is looking for different versions of sys libs than that provided by 6.0.

    Thanks.
  15. ianchov

    ianchov New Member

    That is interesting.. :)
    I`m using the FreeBSD packages....but i never thought about using the Linux one.



    Is there any perfomance difference between the two?
  16. joe

    joe Member

    I'm also using the freebsd package.

    During the setup I recall having to create 3-4 soft links but I forget what exactly they were. Basically just creating links to similar library files. After creating each soft link I could go another step throught the install routine until it finished.
  17. xing

    xing LiteSpeed Staff

    I have very limited experience with FreeBSD but when I tried LiteSpeed Linux version with FreeBSD 6.0's Linux compat layer, everything works. However, there is an abnormal amount of timeout sessions to clients via logging as compared to my linux box. This is a for a load balanced 50/50 proxy with litespeed.

    I'm still trying to get the litespeed freebsd to work with 6.0. When i tried it last week with a few symlinks, I was getting segmentation faults. Perhaps I did the wrong sym links. Will try again.

    In my opinion, stick with freebsd package. I wouldn't trust a 24/7 operation on a compatibility layer.
  18. xing

    xing LiteSpeed Staff

    For those of you on the bleeding edge trying to use LiteSpeed with FreeBSD 6.0. Here is the run down, summary, of what works, what doesn't, and what you need to do to get LiteSpeed up and running.

    FreeBSD 6.0

    1) Professional/Enterprise Editons currently are not supported under FreeBSD 6.0. License verification fails due to incompatible library.

    2) Standard Edition works with caveats:

    a) SSL does not work. Library incompatibility.

    b) You must sym/soft link the following files:

    Code:
    ln -s 
    /lib/libc.so.4 -> /lib/libc.so.6
    /lib/libcrypt.so.2 -> /lib/libcrypt.so.3
    /lib/libm.so.2 -> /lib/libm.so.4
    
    3) You can use the Linux package under FreeBSD Linux compat layer. It installs and runs. However, the extend of how well it functions is still up in the air and your feedbacks can shed more light on this.
  19. mistwang

    mistwang LiteSpeed Staff

    I tried FreeBSD 6.0 in our lab, looks like there is some problem with the statically linked openssl library, when SSL is used, it will dump a core file.

    Looks like FreeBSD 6.0 needs a dedicated lshttpd binary.
  20. joe

    joe Member

    I concur with xing's assessment and the links, I made the same during the install.

    I'm not using 6.0 in production so I haven't seen the issues discussed, but not trying that hard I guess.

Share This Page