With the latest Red Hat 5 updates, OpenSSL (now based on version 0.9.8e) is built with an environment variable hook that disables compression without a rebuild. The variable is called OPENSSL_NO_DEFAULT_ZLIB and should be set to "1" to disable compression. It can be exported from /etc/sysconfig/httpd to control Apache's SSL handling and work around this bug.

For other Red Hat variants or if a rebuild is needed for some other reason, see below.

The procedure is probably similar across Red Hat and CentOS variants, but I've only tried with CentOS 5.

You should do this as something other than root, but explaining how to create a local RPM build tree is not in scope. You can figure that out on your own if you want to. Assuming you're root, the following steps should rebuild a set of OpenSSL packages without zlib support, but with the same name as the original OS-supplied packages.

These instructions match the version at the time of authoring. If the OpenSSL package gets upgraded, the latest revision number might be higher.

  • Download the latest SRPM for OpenSSL into your build tree and unpack the spec file for editing.
$ cd /usr/src/redhat/SRPMS
$ wget http://mirror.centos.org/centos/5/os/SRPMS/openssl-0.9.8b-10.el5.src.rpm
$ rpm -i openssl-0.9.8b-10.el5.src.rpm
  • Modify /usr/src/redhat/SPECS/openssl.spec to remove the zlib dependencies and build option. Search for every instance of "zlib" and "zlib-devel" and remove them all, particularly the one used to configure the package.
  • Rebuild the packages. The example below includes a macro to append the .el5 distribution name to the package names, to match the Red Hat convention. You can adjust or omit as needed.
$ cd ../SPECS
$ rpmbuild -ba --define='dist .el5' openssl.spec
  • Finally, you can install the replacement packages by forcing them on top of the existing packages.
$ cd ../RPMS/i386
$ rpm -ivh --force openssl-0.9.8b-10.el5.rpm openssl-devel-0.9.8b-10.el5.rpm