Tag Archives: apache

Updating OpenSSL for Apache without breaking your base OpenSSL install on FreeBSD 9.2-RELEASE

After two very frustrating days, I have finally been able to perform what used to be a fairly routine thing for me, which is creating a FAMP server using FreeBSD, Apache 2.2.x, MySQL 5.x.x and PHP 5.5.x.

Several issues arose out of my attempts.

My first attempt was installing Apache 2.4.9, MySQL 5.6.17 and PHP 5.5.12 on FreeBSD 10.0-RELEASE-p3 (AMD64). This was my first time installing anything greater than MySQL 5.1.x. ‘./configure’ has been replaced with ‘cmake .’; other than that, all things ordinary. This was also my first time installing Apache 2.4.x and there are several new steps involved. The first is that you now have to manually install Apache’s portable runtime library and associated utilities. Piece of cake. Grabbed those from the APR website and installed without issue. Apache installed. But now the trouble. I was able to ‘./configure’ and ‘make’ PHP without issue, but during the ‘make install’ I ran into an issue.

# make install
Installing PHP SAPI module: apache2handler
/usr/local/httpd/build/instdso.sh SH_LIBTOOL='/usr/local/apr/build-1/libtool' libphp5.la /usr/local/httpd/modules
/usr/local/apr/build-1/libtool --mode=install cp libphp5.la /usr/local/httpd/modules/
libtool: install: cp .libs/libphp5.lai /usr/local/httpd/modules/libphp5.la
libtool: install: cp .libs/libphp5.a /usr/local/httpd/modules/libphp5.a
libtool: install: chmod 644 /usr/local/httpd/modules/libphp5.a
libtool: install: ranlib /usr/local/httpd/modules/libphp5.a
libtool: install: warning: remember to run `libtool --finish /usr/local/src/php-5.5.5/libs'
Warning! dlname not found in /usr/local/httpd/modules/libphp5.la.
Assuming installing a .so rather than a libtool archive.
chmod 755 /usr/local/httpd/modules/libphp5.so
chmod: /usr/local/httpd/modules/libphp5.so: No such file or directory
apxs:Error: Command failed with rc=65536

Keep in mind, this was a brand new, entirely fresh FreeBSD 10.0-RELEASE install with ‘freebsd-update’ run bringing it to -p3. Nothing else had been done on this box except the MySQL and Apache installs.

I found it very strange that in that small bunch of code, two separate libtools were referenced. Foolishly, I didn’t check my working server to compare. In any case, ‘/usr/local/apr/build-1/libtool’ and the libtool included with the PHP source were both referenced. For good measure, I even installed libtool using ‘pkg install’. Nothing worked and libphp5.so failed to be created. Not being a software developer, I went to Google looking for the answer but came up short. A few suggestions were to use the .bz2 version instead of the .tgz version, use ports and one person even pointed the finger at the AMD64 build of FreeBSD. I briefly attempted to install a known working version of libphp5.so from another one of my servers but that just created more issues. I moved on.

I reloaded the OS from scratch and tried again. Same result. I’m a sucker for punishment.

I then reinstalled the OS using FreeBSD 9.2-RELEASE. As before, I ran ‘freebsd-update’ first thing and brought it up to -6p. I compiled MySQL using the new steps I had learned earlier. Same with Apache, except I used 2.2.27 this time to simplify things; go with what you know. Then the true test, PHP 5.5.12, which also installed no problem. Added a few times to httpd.conf and started the server. Problem. I telneted to port 80 to see what version or OpenSSL I was using and it came back as 0.9.8y. This version isn’t vulnerable to the heartbleed vulnerability, but it does lack TLSv1.1 and TLSv1.2 support, which I need, if only to give my clients a greater sense of security. So I search Google for “freebsd upgrade openssl” and a few articles come up, including one I had recently visited. I went back, performed the needful using ports and OpenSSL was upgraded. Sort of. The base OpenSSL install has its binaries in /usr/bin, libraries in /usr/lib and config file in /etc. The port install puts the binaries in /usr/local/bin, the libraries in /usr/local/lib and the config file in /usr/local/etc/ssl. So I have two completely autonomous OpenSSL installs at this point. Typing ‘which openssl’ shows /usr/bin/openssl which is version 0.9.8y. ‘/usr/local/bin/openssl version’ shows 1.0.1g. Again, 0.9.8y is not vulnerable to heartbleed, but it is insufficient for my needs. After further reading, a few people suggested to remove the old binary and symlink /usr/local/bin/openssl to /usr/bin/openssl and also symlink the configuration files. This seemed to work, so I rebuilt Apache again thinking that version 1.0.1g would show up. But it didn’t. Knowing that this was a new install and that I would probably blow it away once I found a working formula, I started deleting things, symlinking things, moving things, etc. I reminded myself of my father-in-law who while looking to free up space on his internal HDD, he deleted his windows system files with the rational of “I’ve never used those, I can delete them.” A mess I made. Server trashed. Blank slate.

Again, I started with FreeBSD 9.2-RELEASE. I immediately updated using freebsd-update to -p6. I then downloaded and installed OpenSSL 1.0.1g from the OpenSSL website. I then confirmed that my base and secondary install were as expected:

# /usr/bin/openssl version         
OpenSSL 0.9.8y 5 Feb 2013


# /usr/local/ssl/bin/openssl version
OpenSSL 1.0.1g 7 Apr 2014


When it came to compiling Apache, I had to compile mod_ssl as a static module. In the process, a few of the core modules were also made static, so I had a mishmash of static and dynamic. I had to comment out a few of the LoadModule statements in the httpd.conf, but in the end, everything works as it should.

[root@server01 ~]# telnet localhost 80
Connected to localhost.
Escape character is '^]'.
HTTP/1.1 / GET

HTTP/1.1 501 Method Not Implemented
Date: Wed, 28 May 2014 23:07:36 GMT
Server: Apache/2.2.27 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.27 OpenSSL/1.0.1g
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1

Success! I now have a server running exactly the way I want and I have no compromised any of the base OpenSSL files, or anything that was built against them. While I think this was a fairly good way to accomplish this task, there are probably even better ways to do it. However, my Googling efforts did not lead me to those.

Another other method, which some will say is more elegant, would have been to install from pkg or ports. However, I disagree. Since I compiled my first web server twenty years ago to present day, I have always been an advocate of compiling critical services from source. If all you ever do is type ‘pkg install apache22’ how do you learn to troubleshoot when something goes wrong? How do you know how to fine tune your installation when you need to compile in sockets, or curl, or other libraries and modules? I prefer infinite control.

Installing MySQL, Apache, PHP & mod_perl on Debian from source


I am writing this article because I believe it may be useful to people other than just myself. I am new to Linux. However, the command-line environment is not unfamiliar to me. I have been avidly using FreeBSD since 1996 (2.1.5) and I am usually found with my head in a Cisco or Juniper terminal most of the day. Even with this experience, I found installing installing MySQL, Apache, PHP and mod_perl on Debian to be laborious and tedious. You see, on a FreeBSD server, you can nearly install Apache right out of the box. Install the perl and libxml2 packages and you’re ready to go. For whatever reason, the people driving Debian’s development have decided that you either need to install everything using apt-get (a package manager similar to FreeBSD’s pkg_add or Redhat’s rpm) which is a horrifically terrible idea in a production environment, or jump though a plethora of hoops to install from source. I mean, Debian doesn’t even include gcc in the base install. Huh?

One thing FreeBSD does not do well, yet, is virtualization. Today, I needed a virtual box and my choices were between six different flavors of Linux and a few flavors of Windows. Windows is completely out of the question, so I was left to decide which Linux distribution I wanted to meander through. I recently worked for a company that used Debian (5.0 Lenny) as well as FreeBSD. I made a calculated decision that they, FreeBSD lovers, chose Debian because it closely resembled FreeBSD. I have still not decided whether or not my calculations were correct or not. Either way, I am armed with my good friend Google, who seldom lets me down when I encounter Linux issues. It would seem that someone has already been there, done that, fixed it and shared it. This is my attempt to give back.


Anyone looking to install MySQL 5.1, Apache 2.2, PHP 5.3 and mod_perl 2.0 on a Debian install.


You will obviously need a box running Debian. I happen to be running Debian 6.0 Squeeze with the Linux 2.6 kernel.

Linux server 2.6.32-5-xen-amd64 #1 SMP Tue Mar 8 00:01:30 UTC 2011 x86_64 GNU/Linux

You will also need to download the source tarballs for MySQL, Apache, PHP and mod_perl



  • You have a fresh Debian install
  • You have root privileges
  • You’ve downloaded all your sources to ‘/usr/local/src’
  • You’re installing MySQL in ‘/usr/local/mysql’
  • You’re installing Apache in ‘/usr/local/httpd’
  • You’ve created a user named ‘mysql’


During my installation, I tripped over several missing updates and libraries. In order for you to avoid encountering the same issues, please install the following updates and required libraries:

# apt-get update && apt-get upgrade
# apt-get install build-essential
# apt-get install libncurses5-dev
# apt-get install libxml2-dev
# apt-get install zlib1g-dev
# apt-get install libssl-dev
# apt-get install libgdbm3
# ln -s /usr/lib/libgdbm.so.3 /usr/local/lib/libgdbm.so
# ln -s /usr/lib/libperl.so.5.10 /usr/local/lib/libperl.so

The nitty gritty

Unpack the tarballs

# cd /usr/local/src
# tar xvfz mysql-5.1.60.tar.gz
# tar xvfz httpd-2.2.21.tar.gz
# tar xvfz php-5.3.8.tar.gz
# tar xvfz mod_perl-2.0-current.tar.gz

Configure, make and install MySQL

# cd /usr/local/src/mysql-5.1.60
# ./configure ––prefix=/usr/local/mysql ––with-plugins=innobase
# make
# make install
# ./scripts/mysql_install_db
# chown -R mysql:mysql /usr/local/mysql/var
# /usr/local/mysql/bin/mysqld_safe ––bind-address= &
# /usr/local/mysql/bin/mysqladmin -u root password 'your-new-password-here'

Configure, make and install Apache

# cd /usr/local/src/httpd-2.2.21
# ./configure ––prefix=/usr/local/httpd ––enable-modules=all ––enable-mods-shared=all ––enable-so ––enable-ssl
# make
# make install

Configure, make and install PHP

# cd /usr/local/src/php-5.3.8
# ./configure ––with-mysql=/usr/local/mysql ––with-apxs2=/usr/local/httpd/bin/apxs
# make
# make install
# cp php.ini-production /usr/local/lib/php.ini

Add the following lines to your httpd.conf file

AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps

Insert them right after the following line:

AddType application/x-gzip .gz .tgz

Configure, make and install mod_perl

# cd /usr/local/src/mod_perl-2.0.5
# perl Makefile.PL MP_APXS=/usr/local/httpd/bin/apxs
# make
# make install

Add LoadModule config to your httpd.conf

LoadModule perl_module modules/mod_perl.so

Add that line where all the other LoadModule declarations are located.

And to finish it off…

Don’t forget your start-up scripts!


Once all the speed bumps are removed, installing from source is a piece of cake and doesn’t take long at all. Obviously, this is a very straight forward install and most of the time you’ll want to add several configuration options, especially to PHP.

I hope that you found this useful.