Well, it was time to migrate to my new server. I used RedHat 9 which uses Apache 2.0. I couldn't get all my junk to migrate to the new Apache, so I tried to simply move my 1.3.6 install over from my production machine. No dice - it complains that it can't run Apache.pm, which I later read is from a perl incompatibility problem. Rather than fight perl, I went and reinstalled the darn thing.

To do this right, the standard install of OpenSSL needs to be replaced. mod_ssl wants the source. It almost worked with the stock OpenSSL, but it seemed I could point Apache to either the include files or the binary but not both. Ah well, I personally enjoy building packages anyway.

Notes:

• I did all my work from a the directory /root/apache. This is where I downloaded all my files.
• I am putting my apache under ==/usr/

Building OpenSSL

• d/l openssl. I used 0.9.7d, the latest at this writing
• tar xvfz openssl-0.9.7d.tar.gz
• cd openssl-0.9.7d
• ./config --prefix=/usr/local --openssldir=/usr/local/openssl
• Optional: using Intel C++ compiler. I can't tell you offhand how much the performance improves, but Intel almost always beats gcc.
  • Though there is supposed a way to pass in compiler args and to use a non-gcc compiler, I could not get it to work with the configure script. It was just as easy to let it make a makefile for me, then edit it.
  • Go into the makefile and replace all instances of gcc with icc
  • edit the CFLAG setting to add any parms you want to use. icc, for instance (harmlessly) complains about -fomit_frame_pointer. I added -xK -tpp6. When all is said and done, my CFLAG entry is like this for my P3 system...

CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -xK -DL_ENDIAN -DTERMIO -O3 -tpp6 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM

• make -j 2 >& makelog.out (use both processors, write the log to a file) Note: there are a LOT of warnings!
• time make test (seconds). I did this for gcc and icc. With gcc I used -mcpu=pentiumpro -msse to keep things even. Here are my results... gcc is 16% slower.

icc	25.8
gcc	29.8

• make install

Building mod_ssl

• get it from here
• (from the apache staging directory)
• tar xvfz mod_ssl-2.8.17-1.3.31.tar.gz
• cd mod_ssl-2.8.17-1.3.31
• ./configure --with-apache=../apache_1.3.31 --with-ssl=../openssl-0.9.7d --prefix=/usr/local
• that's it...

Building mod_perl

• get it from here
• tar xvfz mod_perl-1.0-current.tar.gz
• cd mod_perl-1.29
• perl Makefile.PL APACHE_SRC=../apache_1.3.31/src/APACHE_PREFIX=/usr/local DO_HTTPD=1 PREP_HTTPD=1 USE_APACI=1 EVERYTHING=1 SSL_BASE=/usr/local/openssl/ don't ask me what all these options mean
• make _(Note, I tried to build with the Intel compiler but got stymied...there were warnings that Perl and mod_perl want to use the same compiler)

---

o  conf/ssl.key/ca.key
   The PEM-encoded RSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the conf/ssl.crt/server.crt
   file.

-- MattWalsh - 24 May 2004