openssl 0.9.7h or 9.8a?

[joe]

I'm building a new litespeed server from scratch and ran into a problem with openssl. Everytime I define a listener to be secured with a certificate the server fails to start, and no useful debuging info is logged under /conf/error.log; why?

I know from the changelog that .9.7h is supported since 2.1.3, but I'm hoping I can go later with the sources?

Stats:
FreeBSD6.0
litespped 2.1.6
mysql 5.0.16
php5.1.0 w/ this config:
./configure --enable-fastcgi --with-config-file-path=../conf --enable-discard-path --disable-path-info-check --with-mysql=/usr/local/bin/mysql --with-openssl=/usr/local/ssl

openssl .9.8.a w/ straight
./config && make && make test && make

I used the instructions from the howto to make a private key, and self signed cert. This worked flawless for me under freebsd 5.4 and openssl .9.7f I think.

There were no build errors that I'm aware of, and the phpinfo shows it compiled fine

Must I use .9.7h or what could be the problem?

 

[mistwang]

As the openssl library is statically linked into our lsws binary. I think the problem may not be the openssl 0.9.8a library. You can doulbe check this by using "ldd lshttpd".

I think the problem might be the FreeBSD 6.0, our prebuilt openssl binary does not work properly together with 6.0, can you use freebsd 5.x?

Best regards,
George

 

[joe]

Here is that cmd result. I presume it shows everything in order?

www# ldd lshttpd
lshttpd:
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x281eb000)
libm.so.2 => /usr/lib/libm.so.2 (0x28203000)
libc.so.4 => /usr/lib/libc.so.4 (0x28219000)
www#

I can use freebsd 5.4, just wanted to try something shiney and new is all...

Will you be updating this soon?
btw: thanks for a quick reply!

 

[mistwang]

The result of ldd shows that lshttpd does not link to external OpenSSL library.

I think we will not try FreeBSD 6.0 anytime soon, as 6.0 is too new to be used in production.

 

[joe]

Does this mean, so long as I have my certificate, it doesn't matter if/what version of openssl is installed?

 

[mistwang]

Yes, you don't need to install openssl library just for LSWS

 

[joe]

I see.

Well thats both a blessing and a curse.

Easier to manage now that I know I don't need openssl, and a curse in that if anything else such as the potential SSL 2.0 Rollback (CAN-2005-2969) http://www.openssl.org/news/secadv_20051011.txt comes out.

I can avoid all this work by using freebsd 5.4 as you mentioned, but is it also possible to change those static links?

 

[mistwang]

No.
We always try to publish new release to address the security issues ASAP.

 

[ianchov]

I had the same...

Hi!

Did you managed to resolv the problem with FreeBSD 6.0 and lshttpd with OpenSSL

Today i tried loading a listener with SSL keys and the server just didn`t start.
....

 

[mistwang]

LSWS has not been tested on FreeBSD 6.0 yet, it may not work at all.
Can you use FreeBSD 5.x instead?

 

[ianchov]

...

Nope...
I`m just in the middle of configuring the server....
I needed a Web Server and as usual i installed LiteSpeed....


It worked flawlessly until i started the SSL listener.....


DO you have som ideas?

 

[joe]

For the record,

litespeed (all recent versions) works just fine under FreeBSD 6.0 for me, with the only exception of the SSL.

 

[ianchov]

Yes, we know that..


Here the question is how to make it working with SSL?



ps. I tried stunnel and works but that isn`t the solution i need

 

[xing]

Joe/Ianchov,

Are you guys using LiteSpeed via the Linux compatibility layer under FreeBSD 6.0? Or using the LiteSpeed FreeBSD packages? When I tried the FreeBSD packge under 6.0, LiteSpeed is looking for different versions of sys libs than that provided by 6.0.

Thanks.

 

[ianchov]

That is interesting..
I`m using the FreeBSD packages....but i never thought about using the Linux one.



Is there any perfomance difference between the two?

 

[joe]

I'm also using the freebsd package.

During the setup I recall having to create 3-4 soft links but I forget what exactly they were. Basically just creating links to similar library files. After creating each soft link I could go another step throught the install routine until it finished.

 

[xing]

I have very limited experience with FreeBSD but when I tried LiteSpeed Linux version with FreeBSD 6.0's Linux compat layer, everything works. However, there is an abnormal amount of timeout sessions to clients via logging as compared to my linux box. This is a for a load balanced 50/50 proxy with litespeed.

I'm still trying to get the litespeed freebsd to work with 6.0. When i tried it last week with a few symlinks, I was getting segmentation faults. Perhaps I did the wrong sym links. Will try again.

In my opinion, stick with freebsd package. I wouldn't trust a 24/7 operation on a compatibility layer.

 

[xing]

For those of you on the bleeding edge trying to use LiteSpeed with FreeBSD 6.0. Here is the run down, summary, of what works, what doesn't, and what you need to do to get LiteSpeed up and running.

FreeBSD 6.0

1) Professional/Enterprise Editons currently are not supported under FreeBSD 6.0. License verification fails due to incompatible library.

2) Standard Edition works with caveats:

a) SSL does not work. Library incompatibility.

b) You must sym/soft link the following files:

ln -s 
/lib/libc.so.4 -> /lib/libc.so.6
/lib/libcrypt.so.2 -> /lib/libcrypt.so.3
/lib/libm.so.2 -> /lib/libm.so.4

3) You can use the Linux package under FreeBSD Linux compat layer. It installs and runs. However, the extend of how well it functions is still up in the air and your feedbacks can shed more light on this.

 

[mistwang]

I tried FreeBSD 6.0 in our lab, looks like there is some problem with the statically linked openssl library, when SSL is used, it will dump a core file.

Looks like FreeBSD 6.0 needs a dedicated lshttpd binary.

 

[joe]

I concur with xing's assessment and the links, I made the same during the install.

I'm not using 6.0 in production so I haven't seen the issues discussed, but not trying that hard I guess.