Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

openssl apache-2.4 logjam

Like every other admin, I"m working through the Logjam fix.

I've upgraded to Apache 2.4.12 and openssl 1.0.2a on my centos 6.6 box.

When I start apache, I'm seeing this error message returned:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

Here is my apache build info:

Server version: Apache/2.4.12 (Unix)
Server built:   Jun  8 2015 22:04:38
Server's Module Magic Number: 20120211:41
Server loaded:  APR 1.4.5, APR-UTIL 1.3.12
Compiled using: APR 1.4.5, APR-UTIL 1.3.12
Architecture:   64-bit
Server MPM:     worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/installs/apache/2_4_12"
 -D SUEXEC_BIN="/opt/installs/apache/2_4_12/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

mod_ssl is included in my httpd.conf:

LoadModule ssl_module modules/mod_ssl.so

What am I missing?


The SSLOpenSSLConfCmd is only available on httpd 2.4.8 later.

However, you may still generate and use your own DH params on earlier versions, as explained well here:

If you are using Apache with LibreSSL, or Apache 2.4.7 and OpenSSL 0.9.8a or later, you can append the DHparams you generated earlier to the end of your certificate file. The documentation for that is here and below:

Custom DH parameters and an EC curve name for ephemeral keys, can also be added to end of the first file configured using SSLCertificateFile. This is supported in version 2.4.7 or later. Such parameters can be generated using the commands openssl dhparam and openssl ecparam. The parameters can be added as-is to the end of the first certificate file. Only the first file can be used for custom parameters, as they are applied independently of the authentication algorithm type.

Just use cat to append the dhparams.pem to your certificate file:

cat dhparams.pem >> cert.pem

Related

How do I convert a VMWare VMDK HDD file to a HyperV VHD file?
Why is iptables not blocking an ip address?
Install SSL on Amazon Elastic Load Balancer with GoDaddy Wildcard Certificate
MAILTO is not working for CRON. How can I fix this?
Shared Home folders on file server listed as "My Documents"
On a modern system, will using disk compression give me better overall performance?
The Network folder specified is currently mapped using a different user name and password
My linux server was hacked. How do I find out how and when it was done?
"debug1: read_passphrase: can't open /dev/tty: No such device or address" when trying to connect through SSH
How can I see logs in a server after a kernel panic hang?
Best file system for external (USB) hard drives/USB memory media
Windows Server Backup Error - Volumes Larger than 16.7TB cannot be protected?