將OpenSSL從0.9.8升級到1.0.2 / Ubuntu 8.04 LTS

Question

首先，感謝您的寶貴時間。

我有一台舊服務器Ubuntu 8.04 ，不再受支持。 自6月以來，我正在使用的付款平台已停用TLSv1和SSL。

我的服務器在以下環境下運行：

Apache 2.2.8 /
Openssl 0.9.8 /
PHP 5.2.17 /
Ubuntu 8.04

我已經安裝了新版本的openssl（使用wget）：

openssl version 
OpenSSL 1.0.2o  27 Mar 2018

我的apache版本太舊，無法支持TLSv1.2，我需要將其升級到apache 2.2.23最低版本。

如何編譯apache以考慮新的OpenSSL版本？

PS：我只是用一台新服務器來遷移我的網站，但是要花一些時間來修改代碼...暫時不可以更改服務器..我需要使其盡快運行，然后我能夠專注於PHP 7引入的錯誤...

在此先感謝您幫助新手。

Answer 1

由於不再支持該舊版Ubuntu，因此您很可能無法使用該回購協議來安裝Apache。

可以按照以下說明進行自己的編譯： http : //httpd.apache.org/docs/2.2/install.html 。

運行./configure時，必須使用--enable-ssl和--with-ssl=DIR 。 DIR是OpenSSL所在的位置（不是源代碼，而是安裝目錄）。 檢查./configure輸出以識別所有缺少的條件。

運行make install ，您將不得不使用該新的OpenSSL編譯PHP，並鏈接到新編譯的Apache。 http://ca3.php.net/manual/zh/install.unix.apache2.php

---

這就是我編譯HTTP的方式（前段時間記筆記，某些版本可能有所不同）。 適應您的需求，這是“按原樣”提供的，不提供保修：-)前提條件基於RHEL 6或7，請根據需要進行調整。

Required software:
- apr-1.6.2
- apr-iconv-1.2.1
- apr-util-1.5.4
- httpd-2.4.26
  (identical  procedure used with previous versions of 2.4)
- openssl-1.0.2l 
  (identical prodecure used with older versions of 1.0)
- Unzip and untar these under /opt/app/SOURCES

System setup

Ask Unix to create:
- /opt/app/httpd, owner httpd, group httpd, permissions 775
-  user httpd, group httpd

Create these directories
- /opt/app/apr
- /opt/app/apr-iconv
- /opt/app/apr-util
- /opt/app/httpd
- /opt/app/openssl
- all owned by httpd, group httpd, permissions 750

Procedure

Get Unix to install prerequisites
for F in libxml2.i686 libxml2.x86_64 libxml2-devel.i686 libxml2-devel.x86_64 apr-devel.i686 apr-devel.x86_64 apr-util.i686 apr-util.x86_64 pcre-devel.i686 pcre-devel.x86_64 autoconf libtool
do
        yum install -y $F
done

Switch to the httpd user.

Install APR
cd /opt/app/SOURCES/apr-1.6.2
./buildconf
./configure --prefix=/opt/app/apr
make
make install 

Keep the directory as is, APR Util and APR Iconv require the APR sources to refer to. 

Install APR Util
cd /opt/app/SOURCES/apr-util-1.5.4
./buildconf --with-apr=/opt/app/SOURCES/apr-1.6.2
./configure --prefix=/opt/app/apr-util --with-apr=/opt/app/apr
make
make install

Install APR Iconv
cd /opt/app/SOURCES/apr-iconv-1.2.1
./configure --prefix=/opt/app/apr-iconv --with-apr=/opt/app/apr
make
make install

Install OpenSSL
cd /opt/app/SOURCES/openssl-1.0.2l
export CFLAGS=-fPIC
./config --prefix=/opt/app/openssl --openssldir=/opt/app/openssl shared
make clean
make
make test
make install 

Install Apache
cd /opt/app/SOURCES/httpd-2.4.26
export  LD_LIBRARY_PATH=/opt/app/openssl/lib
./configure --prefix=/opt/app/httpd --with-mpm=worker --enable-rewrite --enable-ssl --with-ssl=/opt/app/openssl --enable-proxy --enable-rewrite --enable-log-forensic --enable-log-debug --enable-expires --enable-headers --enable-unique-id --with-apr=/opt/app/apr --with-apr-util=/opt/app/apr-util
make
make install
vi /opt/app/httpd/bin/envvars
    Add /opt/app/openssl/lib to the LD_LIBRARY_PATH 

Note for the ./configure:  this was done to build an Apache used as a proxy.  change the --enable* options as required.


Configure HTTP
- The original configuration files after installation are saved in /opt/app/httpd/conf/original
- While it is impossible to cover all configuration options, at least these should be changed from the install configuration:
--- Listen 80: change as required.
--- User httpd
--- Group httpd
--- ServerAdmin EMAILADDRESS
--- ServerName <HOSTNAME>:80
--- Comment or uncomment the modules, as required
--- Uncomment slotmem_shm_module
--- Comment: CustomLog "logs/access_log" common
--- Uncomment: CustomLog "logs/access_log" combined
--- Comment the following sections (the entire section!):
----- <IfModule alias_module>
----- <IfModule cgid_module>
----- <Directory "/opt/app/httpd/cgi-bin">
--- Uncomment:
----- Include conf/extra/httpd-mpm.conf
----- Include conf/extra/httpd-default.conf
----- Edit conf/extra/httpd-mpm.conf
----- Change performance options as required.  The defaults are ok until you have a large amount of traffic.
----- Edit conf/extra/httpd-default.conf
----- Comment AccessFileName .htaccess
----- ServerTokens Prod

--- Test the configuration:     /opt/app/httpd/bin/apachectl -t
--- Start it and access it with a browser.  It should return a simple "It works!" message (unless you have installed some HTML content).

---

這是我的PHP編譯過程，同樣，也沒有任何保證。 如果不連接到這些數據庫，則可以忽略有關DB2，Oracle和PostgreSQL的部分。

Prerequisites
- A compiled version of Apache HTTP and it's requisites.  See HTTP installation.
- It "could" work with RedHat's compiled Apache, but it is not recommended.  If RH's Apache is used, might as well use RH's PHP build.
- PHP source code: download from http://php.net
- This procedure has been tested with success on versions: 5.3.13, 5.5.7, 5.6.3, 5.6.30.  No modifications were required.

Install Red Hat pre-requisites:
- libxml, libxml-devel
- libpng, libpng-devel
- libjpg, libjpg-devel

If using DB2
- Install DB2 client under /opt/app
- PHP searches for the lib directory, so:
       cd /opt/app/ibm/db2/V10.5
       ln -s lib64 lib

If using Oracle
- Install the Oracle Instant Client in /opt/app/oracle

Overview
PHP must be compiled and "linked" to Apache.  Apache must therefore be compiled before PHP.
Depending on which database PHP will connect to, the configure options must be changed.
http://php.net has more documentation and details for the build process, this is just what was used.

Build

Pre-compile configure

The configure command will detect what other software is installed on the system and link libraries.
Note for the database clients: they can all be linked at the same time, but it is recommended to link only the ones required.

The command is:
       ./configure --with-apxs2=/opt/app/httpd/bin/apxs \
                   --prefix=/opt/app/php \
                   --with-config-file-path=/opt/app/php \
                   --enable-zip \
                   --with-zlib \
                   --enable-mbstring \
                   --with-gd \
                   --with-pear \
                   --with-pdo-odbc=ibm-db2,/opt/app/ibm/db2/V10.5 \              # if using DB2 only!
                   --with-oci8=instantclient,/opt/app/oracle/instantclient_11_2  # if using Oracle only!
                   --with-pgsql \                                                # if using PostgreSQL only!
                   --with-pdo-pgsql                                              # if using PostgreSQL with PDO only!


Compile
     make clean
     make
     make test
     make install 


$(make test) will report errors for the Oracle driver. MANY errors! The driver will still work (it was used for the nettracker replacement scripts to load Pharmaclik IBM HTTP Server logs into Oracle). But it will be impossible to use bind variables on Integers. That explains why that script does not use oci_bind* functions.



Post-compile configure
     libtool --finish /opt/app/php/lib

     cp php.ini-development /opt/app/php/php.ini
OR
     cp php.ini-production /opt/app/php/php.ini 

In php.ini, add these:
          include_path = ".:/php/includes:/opt/app/php/lib/php"
          date.timezone = 'America/Montreal'

Configure Apache

These lines are possibly already there since the PHP $(make install) takes care of it, if the httpd.conf file is "clean" (i.e. has not been modified from the originally installed file).
Add these to httpd.conf:
          LoadModule php5_module modules/libphp5.so
          AddType application/x-httpd-php .php .phtml