Apache SSLOpenSSLConfCmd Error: Fixing Invalid Command in mod_ssl Configuration


4 views

When implementing Logjam vulnerability fixes on CentOS 6.6 with Apache 2.4.12 and OpenSSL 1.0.2a, administrators often encounter this specific error:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

The SSLOpenSSLConfCmd directive was introduced in mod_ssl 2.4.8+ as part of Apache's enhanced OpenSSL configuration capabilities. The error typically occurs when:

  • Running an older mod_ssl version that doesn't support this directive
  • Having a version mismatch between Apache and mod_ssl
  • Missing required OpenSSL development headers during compilation

First check your actual mod_ssl version:

# Check mod_ssl version
strings /path/to/mod_ssl.so | grep "mod_ssl"

Then verify Apache's loaded modules:

httpd -M | grep ssl

For CentOS/RHEL systems, the most reliable fix involves:

Option 1: Rebuild mod_ssl with correct dependencies

# Reinstall development packages
yum reinstall openssl-devel

# Rebuild Apache with mod_ssl
./configure --enable-ssl --with-ssl=/usr/include/openssl
make clean && make && make install

Option 2: Manual module replacement

For binary installations, replace mod_ssl.so with a compatible version:

# Backup existing module
cp modules/mod_ssl.so modules/mod_ssl.so.bak

# Download matching version
wget https://example.com/mod_ssl-2.4.12.so -O modules/mod_ssl.so

After successful upgrade, the directive works for DH parameter configuration:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
</VirtualHost>
  • Always check Apache error logs (tail -f /var/log/httpd/error_log)
  • Verify module compatibility with httpd -V
  • Consider using SSLCipherSuite as fallback for older versions

When implementing Logjam vulnerability mitigations on Apache servers, many administrators encounter this specific error when trying to use the SSLOpenSSLConfCmd directive. This typically occurs during the configuration of DH parameters or cipher suites in the SSL/TLS setup.

The error indicates one of two possibilities:

  1. The mod_ssl module wasn't compiled with OpenSSL 1.0.2+ support
  2. Your Apache version was built against an older OpenSSL version

Here's how to verify your setup:

# Check OpenSSL version linked to Apache
httpd -V | grep -i openssl

# Verify mod_ssl is properly loaded
apachectl -M | grep ssl

For Apache 2.4.12 with OpenSSL 1.0.2a, you need to ensure:

# Recompile Apache with proper OpenSSL support
./configure --with-ssl=/path/to/openssl-1.0.2a \
            --enable-ssl \
            --enable-modules=ssl

# Or for pre-built packages, verify dependencies:
yum list installed | grep -E '(httpd|openssl)'

If recompiling isn't an option, use legacy directives that work with older OpenSSL versions:

# Instead of SSLOpenSSLConfCmd, use:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4
SSLOptions +StrictRequire

Here's a functional SSL configuration that avoids the problematic directive:

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    SSLCertificateChainFile /path/to/chain.pem
    
    # DH Parameters alternative
    SSLOptions +ExportCertData
    SSLProtocol TLSv1.2
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    
    # Logging
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

After making changes, verify your configuration:

apachectl configtest
openssl s_client -connect localhost:443 -tls1_2 -cipher 'ECDHE'