mod_ssl, Apache2 and Leopard with patch -- doesn't work
Hello all -- I've taken note of Ticket 11755 regarding a patch to the Apache2 MacPort due to the known problems with mod_ssl on Leopard. I have installed both the openssl and openssl97 MacPorts. I deactivated openssl and ensured that openssl97 was active. I patched the apache2 (version 2.2.6 of Apache) Portfile. And then I installed apache2 with the openssl97 variant: $ sudo port install apache2 +openssl97
Then, when I try running apache I get: $ opt/local/apache2/bin/apachectl start
httpd: Syntax error on line 96 of /opt/local/apache2/conf/httpd.conf: Cannot load /opt/local/apache2/modules/mod_ssl.so into server: dlopen(/opt/local/apache2/modules/mod_ssl.so, 10): Symbol not found: _ssl_cmd_SSLCACertificateFile\n Referenced from: /opt/local/apache2/modules/mod_ssl.so\n Expected in: flat namespace\n
Line 96 of my http.conf file looks like this: LoadModule ssl_module modules/mod_ssl.so
Checking the file itself, I get: -rwxr-xr-x 2 admin staff 156512 Jan 6 06:09 mod_ssl.so
What would I be doing wrong? Maybe its best to compile mod_ssl.so manually, against openssl97, instead of with the patched Portfile? I would rather fix this for Apache2 rather than uproot the openssl Portfile (which uses 0.9.8g) and which many other MacPorts depend on. Thanks, T.M.
On Jan 6, 2008, at 7:27 AM, Tabitha McNerney wrote:
I would rather fix this for Apache2 rather than uproot the openssl Portfile (which uses 0.9.8g) and which many other MacPorts depend on.
Yes, it is possible: a simple workaround consists in stripping out from Apache2's configure the option "-export-symbols-regex ssl_module".
On 1/5/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 7:27 AM, Tabitha McNerney wrote:
I would rather fix this for Apache2 rather than uproot the openssl Portfile (which uses 0.9.8g) and which many other MacPorts depend on.
Yes, it is possible: a simple workaround consists in stripping out from Apache2's configure the option "-export-symbols-regex ssl_module".
It sounds as if stripping that would would mean that I would not be able to use OpenSSL 0.9.7. Hmmm ... that's a bummer. Thank you, T.M. _______________________________________________
macports-users mailing list macports-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/macports-users
On Jan 6, 2008, at 10:23 AM, Tabitha McNerney wrote:
It sounds as if stripping that would would mean that I would not be able to use OpenSSL 0.9.7. Hmmm ... that's a bummer.
"-export-symbols-regex" is an option for libtool that limits the symbols exported by a module. I don't have yet tested this workaround on apache2, but under Leopard omitting this option from other troublesome makefiles makes accessible again the symbols reported as not to find. Here is a positive report on the "Symbol not found: _ssl_cmd_SSLCACertificateFile" error which happens otherwise with the current apache2 port: <http://www.nabble.com/Re%3A-Apache2%3A-Default-configuration-does-not-work--...
On 1/5/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 10:23 AM, Tabitha McNerney wrote:
It sounds as if stripping that would would mean that I would not be able to use OpenSSL 0.9.7. Hmmm ... that's a bummer.
"-export-symbols-regex" is an option for libtool that limits the symbols exported by a module.
I don't have yet tested this workaround on apache2, but under Leopard omitting this option from other troublesome makefiles makes accessible again the symbols reported as not to find.
Here is a positive report on the "Symbol not found: _ssl_cmd_SSLCACertificateFile" error which happens otherwise with the current apache2 port:
< http://www.nabble.com/Re%3A-Apache2%3A-Default-configuration-does-not-work--...
Hi Guido, Thanks for extra pointer. This seems worth trying out. I would rather stay with OpenSSL 0.9.8g only (instead of having two versions of OpenSSL). I will give this a try and see what I can come up with and will post my findings to this email thread on the list. Best, T.M.
Guido, I just had an idea. Why not use Apple's libssl.so that comes with Leopard Server, which can be found in: /usr/libexec/httpd/libssl.so Based on the output of otool, Apple has built libssl.so against OpenSSL 0.9.7 rather than the troublesome 0.9.8: $ otool -L libssl.so libssl.so: /usr/lib/libssl.0.9.7.dylib (compatibility version 0.9.7, current version 0.9.7) /usr/lib/libcrypto.0.9.7.dylib (compatibility version 0.9.7, current version 0.9.7) /usr/lib/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.0.0) Is there any reason why libssl could not be used in place of mod_ssl for those running MacPorts on Leopard Server? I don't spend enough of my time in the depths of Apache but I think I will try this out and see what happens. Note: if this solution works, it would not solve the problem for people who are running Leopard but not Leopard Server. Thanks, T.M. On 1/6/08, Tabitha McNerney <tabithamc@gmail.com> wrote:
On 1/5/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 10:23 AM, Tabitha McNerney wrote:
It sounds as if stripping that would would mean that I would not be able to use OpenSSL 0.9.7. Hmmm ... that's a bummer.
"-export-symbols-regex" is an option for libtool that limits the symbols exported by a module.
I don't have yet tested this workaround on apache2, but under Leopard omitting this option from other troublesome makefiles makes accessible again the symbols reported as not to find.
Here is a positive report on the "Symbol not found: _ssl_cmd_SSLCACertificateFile" error which happens otherwise with the current apache2 port:
<http://www.nabble.com/Re%3A-Apache2%3A-Default-configuration-does-not-work--...
Hi Guido,
Thanks for extra pointer. This seems worth trying out. I would rather stay with OpenSSL 0.9.8g only (instead of having two versions of OpenSSL). I will give this a try and see what I can come up with and will post my findings to this email thread on the list.
Best,
T.M.
On Jan 6, 2008, at 8:24 PM, Tabitha McNerney wrote:
I just had an idea. Why not use Apple's libssl.so that comes with Leopard Server
Because the goal of the MacPorts project is the contrary of that: we should mess with the sources provided by third parties, not with the binaries distributed by Apple! I have tried to apply the rough workaround I suggested you; these are the simple steps I followed: * extract the sources of Apache with "sudo port extract apache2" * search where in the sources the option "-export-simbol-regex" is defined with: grep -r "-export-symbols-regex" /opt/local/var/macports/build/ _opt_local_var_macports_sources_rsync .macports.org_release_ports_www_apache2 ==> [...] [...] /httpd-2.2.6/configure: test "x$silent" != "xyes" && echo " setting MOD_SSL_LDADD to \"-export-symbols-regex ssl_module\"" [...]/ httpd-2.2.6/configure: MOD_SSL_LDADD="-export-symbols-regex ssl_module" [...] /httpd-2.2.6/configure: apr_addto_bugger="-export-symbols- regex ssl_module" [...] * as suspected, the option is used to build the ssl_module... * let's edit the apache2 Portfile with "sudo port edit apache2" and add our patch to the configure script in the Leopard section: platform darwin 9 { depends_build-append port:gawk post-extract { reinplace "s|-export-symbols-regex ssl_module||g" $ {worksrcpath}/configure } } * after cleaning the apache2 port and compiling it, let's test it: sudo apachectl start * no message errors about missing symbols: we got it! -- Guido
On 1/6/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 8:24 PM, Tabitha McNerney wrote:
I just had an idea. Why not use Apple's libssl.so that comes with Leopard Server
Because the goal of the MacPorts project is the contrary of that: we should mess with the sources provided by third parties, not with the binaries distributed by Apple!
Guido, I am with you and agree with you. MacPorts should have the goal of being as independent as possible. And that reminds me then that I should take a closer look to see why the kaffe port will not build on Leopard, too (rather than using Apple Leopard Server's Tomcat, since I want to build Tomcat from MacPorts and it depends on Kaffe). I have tried to apply the rough workaround I suggested you; these
are the simple steps I followed:
* extract the sources of Apache with "sudo port extract apache2"
Guido, this is fascinating! I was not aware of the command-line tool named "extract". I don't see it in my PATH on either my Tiger Server or Leopard Server system. I also don't see "extract" as a MacPort as in: $ port info extract
Error: Port extract not found
Could you point me (and the MacPorts mailing list) to where we can find the extract command-line tool? Thank you! * search where in the sources the option "-export-simbol-regex"
is defined with:
grep -r "-export-symbols-regex" /opt/local/var/macports/build/ _opt_local_var_macports_sources_rsync .macports.org_release_ports_www_apache2
==>
[...] [...] /httpd-2.2.6/configure: test "x$silent" != "xyes" && echo " setting MOD_SSL_LDADD to \"-export-symbols-regex ssl_module\"" [...]/ httpd-2.2.6/configure: MOD_SSL_LDADD="-export-symbols-regex ssl_module" [...] /httpd-2.2.6/configure: apr_addto_bugger="-export-symbols- regex ssl_module" [...]
* as suspected, the option is used to build the ssl_module...
* let's edit the apache2 Portfile with "sudo port edit apache2" and add our patch to the configure script in the Leopard section:
platform darwin 9 { depends_build-append port:gawk post-extract { reinplace "s|-export-symbols-regex ssl_module||g" $ {worksrcpath}/configure } }
* after cleaning the apache2 port and compiling it, let's test it:
sudo apachectl start
* no message errors about missing symbols: we got it!
Guido, you are a hero of the day!!! I will also test your solution on Leopard Server and confirm that it works for me. If it works for you and also for me, then I think you (or I can do this for you if you are busy) should submit the patch to MacPorts Trac system. Thanks for helping to find the solution, T.M. --
Guido
On 1/6/08, Tabitha McNerney <tabithamc@gmail.com> wrote:
On 1/6/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 8:24 PM, Tabitha McNerney wrote:
I just had an idea. Why not use Apple's libssl.so that comes with Leopard Server
Because the goal of the MacPorts project is the contrary of that: we should mess with the sources provided by third parties, not with the binaries distributed by Apple!
Guido, I am with you and agree with you. MacPorts should have the goal of being as independent as possible. And that reminds me then that I should take a closer look to see why the kaffe port will not build on Leopard, too (rather than using Apple Leopard Server's Tomcat, since I want to build Tomcat from MacPorts and it depends on Kaffe).
I have tried to apply the rough workaround I suggested you; these
are the simple steps I followed:
* extract the sources of Apache with "sudo port extract apache2"
Guido, this is fascinating! I was not aware of the command-line tool named "extract". I don't see it in my PATH on either my Tiger Server or Leopard Server system. I also don't see "extract" as a MacPort as in:
$ port info extract
Error: Port extract not found
Could you point me (and the MacPorts mailing list) to where we can find the extract command-line tool? Thank you!
Guido, sorry, my eyes missed it the first time reading through ... "extract" is a verb for the port command. Will try your solution today and confirm that it works for me too. Thank you, T.M. [SNIP]
On Jan 6, 2008, at 1:47 PM, Tabitha McNerney wrote:
Guido, this is fascinating! I was not aware of the command-line tool named "extract". I don't see it in my PATH on either my Tiger Server or Leopard Server system. I also don't see "extract" as a MacPort as in:
"port help" is the command you want to use, not "port info" - that is for an entirely different namespace. - Jordan
On 1/6/08, Jordan K. Hubbard <jkh@apple.com> wrote:
On Jan 6, 2008, at 1:47 PM, Tabitha McNerney wrote:
Guido, this is fascinating! I was not aware of the command-line tool named "extract". I don't see it in my PATH on either my Tiger Server or Leopard Server system. I also don't see "extract" as a MacPort as in:
"port help" is the command you want to use, not "port info" - that is for an entirely different namespace.
- Jordan
Jordan, In a week you have graciously twice reinforced the importance of namespaces (besides this thread, also the thread about Unix usernames using underscores in Leopard such as _postfix). Thank you for making the world a better place and helping educate people in the MacPorts community these important concepts (it makes the community stronger, and is such a welcome relief to the legacy approach to the world that some have taken such as Microsoft). Its great to be working with Xserves, iMacs, Macbooks, OS X and MacPorts! Best, T.M.
Guido, I can confirm that your solution that you eloquently described aforementioned works perfectly -- the namespace error when running Apache2 with mod_ssl.so loaded on Leopard Server (10.5.1 Server) with MacPorts 1.6.0apache version 2.2.6 is alleviated completely. I think ticket # 13182 should be updated per your solution. However, please note that I have not yet tried to do anything over SSL with certificates, etc. Also, I am not sure if this will alleviate the perhaps related problem with Subversion when communicating with Subversion over SSL with Apache (or there is also the option to communicate with Subversion over SSL independent of Apache's mod_dav_svn.so module): http://subversion.tigris.org/faq.html#ssl-negotiation-error When performing Subversion operations involving a lot of data over SSL, I
get the error SSL negotiation failed: SSL error: decryption failed or bad record mac. This can occur due to a problem with OpenSSL 0.9.8. Downgrading to an older version (or possibly upgrading to a newer version) is known to fix this issue.
So maybe for now its best to treat the SSL / Subversion problem separate from Apache-with-SSL-and-Subversion. I have some additional tickets to contribute information to later today so I will add your fix to ticket 13182 unless you prefer to do this. Thanks, T.M. On 1/6/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 8:24 PM, Tabitha McNerney wrote:
I just had an idea. Why not use Apple's libssl.so that comes with Leopard Server
Because the goal of the MacPorts project is the contrary of that: we should mess with the sources provided by third parties, not with the binaries distributed by Apple!
I have tried to apply the rough workaround I suggested you; these are the simple steps I followed:
* extract the sources of Apache with "sudo port extract apache2"
* search where in the sources the option "-export-simbol-regex" is defined with:
grep -r "-export-symbols-regex" /opt/local/var/macports/build/ _opt_local_var_macports_sources_rsync .macports.org_release_ports_www_apache2
==>
[...] [...] /httpd-2.2.6/configure: test "x$silent" != "xyes" && echo " setting MOD_SSL_LDADD to \"-export-symbols-regex ssl_module\"" [...]/ httpd-2.2.6/configure: MOD_SSL_LDADD="-export-symbols-regex ssl_module" [...] /httpd-2.2.6/configure: apr_addto_bugger="-export-symbols- regex ssl_module" [...]
* as suspected, the option is used to build the ssl_module...
* let's edit the apache2 Portfile with "sudo port edit apache2" and add our patch to the configure script in the Leopard section:
platform darwin 9 { depends_build-append port:gawk post-extract { reinplace "s|-export-symbols-regex ssl_module||g" $ {worksrcpath}/configure } }
* after cleaning the apache2 port and compiling it, let's test it:
sudo apachectl start
* no message errors about missing symbols: we got it!
-- Guido
Hello Guido and all others interested ... I have amended Ticket numbers: 13182 and 11755 per this thread. Thanks, T.M. On 1/6/08, Tabitha McNerney <tabithamc@gmail.com> wrote:
Guido,
I can confirm that your solution that you eloquently described aforementioned works perfectly -- the namespace error when running Apache2 with mod_ssl.so loaded on Leopard Server (10.5.1 Server) with MacPorts 1.6.0 apache version 2.2.6 is alleviated completely. I think ticket # 13182 should be updated per your solution.
However, please note that I have not yet tried to do anything over SSL with certificates, etc. Also, I am not sure if this will alleviate the perhaps related problem with Subversion when communicating with Subversion over SSL with Apache (or there is also the option to communicate with Subversion over SSL independent of Apache's mod_dav_svn.so module):
http://subversion.tigris.org/faq.html#ssl-negotiation-error
When performing Subversion operations involving a lot of data over SSL, I
get the error SSL negotiation failed: SSL error: decryption failed or bad record mac. This can occur due to a problem with OpenSSL 0.9.8. Downgrading to an older version (or possibly upgrading to a newer version) is known to fix this issue.
So maybe for now its best to treat the SSL / Subversion problem separate from Apache-with-SSL-and-Subversion.
I have some additional tickets to contribute information to later today so I will add your fix to ticket 13182 unless you prefer to do this.
Thanks,
T.M.
On 1/6/08, Guido Soranzio <guido.soranzio@gmail.com> wrote:
On Jan 6, 2008, at 8:24 PM, Tabitha McNerney wrote:
I just had an idea. Why not use Apple's libssl.so that comes with Leopard Server
Because the goal of the MacPorts project is the contrary of that: we should mess with the sources provided by third parties, not with the binaries distributed by Apple!
I have tried to apply the rough workaround I suggested you; these are the simple steps I followed:
* extract the sources of Apache with "sudo port extract apache2"
* search where in the sources the option "-export-simbol-regex" is defined with:
grep -r "-export-symbols-regex" /opt/local/var/macports/build/ _opt_local_var_macports_sources_rsync .macports.org_release_ports_www_apache2
==>
[...] [...] /httpd-2.2.6/configure: test "x$silent" != "xyes" && echo " setting MOD_SSL_LDADD to \"-export-symbols-regex ssl_module\"" [...]/ httpd-2.2.6/configure: MOD_SSL_LDADD="-export-symbols-regex ssl_module" [...] /httpd-2.2.6/configure: apr_addto_bugger="-export-symbols- regex ssl_module" [...]
* as suspected, the option is used to build the ssl_module...
* let's edit the apache2 Portfile with "sudo port edit apache2" and add our patch to the configure script in the Leopard section:
platform darwin 9 { depends_build-append port:gawk post-extract { reinplace "s|-export-symbols-regex ssl_module||g" $ {worksrcpath}/configure } }
* after cleaning the apache2 port and compiling it, let's test it:
sudo apachectl start
* no message errors about missing symbols: we got it!
-- Guido
participants (3)
-
Guido Soranzio
-
Jordan K. Hubbard
-
Tabitha McNerney