Installing OpenSSL that supports SNI along with previous version of OpenSSL

So I learned that to host multiple HTTPS websites on the same IP address you need an OpenSSL version that supports SNI (0.9.8f and higher). My RHEL5 box currently has 0.9.8e and Apache version httpd-2.2.26-2.el5.

According to a same question here it's not a good idea to replace the original version of OpenSSL and instead to have a parallel installation. It however doesn't explicitly mention how to achieve this.

So my questions are:

  • How do I have an alternate installation of OpenSSL without breaking the system?
  • How do I make Apache to use this version of OpenSSL and not the original one?

A detailed guide would be extremely helpful.


Solution 1:

The first bit is fairly easy. Download the source (0.9.8y appears to be the current version of that stream) from http://www.openssl.org, unpack, ./configure --prefix=/usr/local/openssl && make && make install.

The second bit may be harder. You might get away with starting apache with

LD_LIBRARY_PATH=/usr/local/openssl/lib/openssl /usr/sbin/httpd

(or wherever the install puts the libraries; I don't have a box with such a setup to hand in order to check it) but it may be too big a jump in versions for apache to start. If it is, you're reduced to rebuilding apache from source as well, in order to relink it against your new OpenSSL, and that will rapidly become a maintenance nightmare.

So try it, but if you can't get away with shoehorning the existing apache into run-time loading your newly-built openssl version, you'd probably be better off planning a migration to RHEL6 (or better yet, CentOS 6).