Compatible with Mac OS X Server 10.6?

Sun May 1 10:19:15 PDT 2011

On May 1, 2011, at 07:02, René Fournier wrote:

>> You may be better off just rebuild the mod_ssl module for Apple's apache rather than rebuilding all of apache... you'll probably run out of duct tape and crazy glue.
> 
> OK, that's good to know. My only issue is SSL, since Apache is not a security risk at this point. Now, the thing is, I did compile from source the latest version of OpenSSL (1.0.0d)... I did that a couple days ago, and I thought that that was enough. I added the new binary to the PATH (/usr/local/ssl/bin)... But then I checked Apache/PHP and noticed they still were reporting the old version. 
> 
> So I guess my first question is, do I need to simply configure Apache somewhere to use the newer OpenSSL now installed?

No.  If the version you were updating to was binary compatible with the old version, you could use install_name_tool (check the man page) to change libphp5.so and mod_ssl.so to use the new version:

install_name_tool -change /usr/lib/libssl.0.9.8.dylib /usr/local/lib/libssl.0.9.9.dylib /usr/libexec/apache2/mod_ssl.so
install_name_tool -change /usr/lib/libcrypto.0.9.8.dylib /usr/local/lib/libcrypto.0.9.9.dylib /usr/libexec/apache2/mod_ssl.so

install_name_tool -change /usr/lib/libssl.0.9.8.dylib /usr/local/lib/libssl.0.9.9.dylib /usr/libexec/apache2/libphp5.so
install_name_tool -change /usr/lib/libcrypto.0.9.8.dylib /usr/local/lib/libcrypto.0.9.9.dylib /usr/libexec/apache2/libphp5.so

*BUT* version 1.0.0 is not binary compatible, so you'll need to rebuild libphp5.so (directions in the URL I provided should work ... I think I did it at some point) and mod_ssl.so (likely a similar process)

> - or -
> 
> Can I simply build mod_ssl for Apache and somehow hook that up while continuing to enjoy the benefits of Apple's magical Server Admin and other web-related services?

You need to rebuild *BOTH* libphp5.sp and mod_ssl.so.  Server Admin will continue to work with the new modules.

> I see mod_ssl in httpd.conf (LoadModule ssl_module libexec/apache2/mod_ssl.so), is that what needs to be updated as well? 

httpd.conf won't need to be updated, but the .so will.  I suggest you backup  /usr/libexec/apache2/mod_ssl.so and /usr/libexec/apache2/libphp5.so first.

> If so, can anyone recommend a good walkthrough for compiling a newer mod_ssl based on the latest source?

For libphp5.so: http://www.webrelatedstuff.com/articles/mac-server-setup/install-php-5-3-3-on-mac-os-x-/3
For mod_ssl.so:

I couldn't find one, but the process is essentially the same.  You may want to read apxs(8) which describles how apxs works to build modules for the existing Apache.  Since your concern is OpenSSL itself and not mod_ssl, I'd recommend using mod_ssl from the apache sources matching your apache version (from Apple).  This link is to the version used in Mac OS X 10.6.7:
http://opensource.apple.com/tarballs/apache/apache-747.3.tar.gz

It looks like if you just 'cd httpd' after expanding the tarball, you'll see the files from the apache tarball.  You may need to apply the patches present in the patches subdirectory if they modify modules/ssl.

Just configure apache as you would any autoconf project and make sure you tell it to use your ssl: '--prefix=/usr --enable-layout=Darwin --with-ssl=/usr/local --enable-ssl --enable-mods-shared=all' (other configure options listed in the Makefile may be important as well).  Then, you can probably just go into the modules/ssl subdirectory and do a 'make && sudo make install DESTDIR=/tmp/new_mod_ssl' ... verify that what is installed in /tmp/new_mod_ssl looks reasonable (ie: it contains /usr/libexec/apache2/mod_ssl.sl and doesn't overwrite things it shouldn't).  If so, do a 'sudo make install' and restart apache.

--Jeremy