Apache httpd 2.4.48 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1k with http2, mod_http2 1.15.19 and ALPN for Red Hat Enterprise Linux 7 and CentOS 7

Apache httpd 2.4.48-1 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl 1.15.19 is built dynamically against OpenSSL 1.1.1k. Mod_fcgid 2.3.9 is also added by request of our users.

Links:

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Since 2.4.43-4 release we built OpenSSL as a separate package that installs to the separate directory (/opt/codeit/openssl111) and does not affects system libraries.

Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+.

brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27. If you need http2 module, please disable prefork mpm and enable evemt mpm in /etc/httpd/conf.modules.d/00-mpm.conf. We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.

We already included a minimum required SELinux policy into the package.

Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

Changes with Apache 2.4.48

  *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
     fallback to mod_proxy_http for WebSocket upgrade and tunneling.
     [Yann Ylavic]

  *) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
     BZ 65294.  [Yann Ylavic]

  *) core: Fix a regression that stripped the ETag header from 304 responses.
     PR 61820 [Ruediger Pluem, Roy T. Fielding]

  *) core: Adding SSL related inquiry functions to the server API.
     These function are always available, even when no module providing
     SSL is loaded. They provide their own "shadowing" implementation for
     the optional functions of similar name that mod_ssl and impersonators
     of mod_ssl provide.
     This enables loading of several SSL providing modules when all but
     one of them registers itself into the new hooks. Two old-style SSL
     modules will not work, as they replace the others optional functions
     with their own.
     Modules using the old-style optional functions will continue to work
     as core supplies its own versions of those.
     The following has been added so far:
     - ap_ssl_conn_is_ssl() to query if a connection is using SSL.
     - ap_ssl_var_lookup() to query SSL related variables for a
       server/connection/request.
     - Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
       providing SSL can install their own value supplying functions.
     - ap_ssl_add_cert_files() to enable other modules like mod_md to provide
       certificate and keys for an SSL module like mod_ssl.
     - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
       provide a fallback certificate in case no 'proper' certificate is
       available for an SSL module like mod_ssl.
     - ap_ssl_answer_challenge() to enable other modules like mod_md to
       provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
       for the ACME protocol for an SSL module like mod_ssl. The function
       and its hook provide PEM encoded data instead of file names.
     - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
       'ssl_answer_challenge' where modules like mod_md can provide providers
       to the above mentioned functions.
     - These functions reside in the new 'http_ssl.h' header file.
     [Stefan Eissing]

  *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
     allows modules to access and provide OCSP response data without being tied
     of each other. The data is exchanged in standard, portable formats (PEM encoded
     certificates and DER encoded responses), so that the actual SSL/crypto
     implementations used by the modules are independant of each other.
     Registration and retrieval happen in the context of a server (server_rec)
     which modules may use to decide if they are configured for this or not.
     The area of changes:
     1. core: defines 2 functions in include/http_ssl.h, so that modules may
        register a certificate, together with its issuer certificate for OCSP
        response provisioning and ask for current response data (DER bytes) later.
        Also, 2 hooks are defined that allow modules to implement this OCSP
        provisioning.
     2. mod_ssl uses the new functions, in addition to what it did already, to
        register its certificates this way. If no one is interested in providing
        OCSP, it falls back to its own (if configured) stapling implementation.
     3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
        on configuration, it will accept registrations of its own certificates only,
        all certificates or none.
     [Stefan Eissing]

 *) mod_md: v2.4.0 with improvements and bugfixes
     - MDPrivateKeys allows the specification of several types. Beside "RSA" plus
     optional key lengths elliptic curves can be configured. This means you can
     have multiple certificates for a Managed Domain with different key types.
     With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA  and one RSA
     certificate and all modern client will use the shorter ECDSA, while older
     client will get the RSA certificate.
     Many thanks to @tlhackque who pushed and helped on this.
     - Support added for MDomains consisting of a wildcard. Configuring
     ```MDomain *.host.net``` will match all virtual hosts matching that pattern
     and obtain one certificate for it (assuming you have 'dns-01' challenge
     support configured). Addresses #239.
     - Removed support for ACMEv1 servers. The only known installation used to
     be Let's Encrypt which has disabled that version more than a year ago for
     new accounts.
     - Andreas Ulm () implemented the
     ```renewing``` call to ```MDMessageCmd``` that can deny a certificate
     renewal attempt. This is useful in clustered installations, as
     discussed in #233).
     - New event ```challenge-setup::```, triggered when the
     challenge data for a domain has been created. This is invoked before the
     ACME server is told to check for it. The type is one of the ACME challenge
     types. This is invoked for every DNS name in a MDomain.
     - The max delay for retries has been raised to daily (this is like all
     retries jittered somewhat to avoid repeats at fixed time of day).
     - Certain error codes reported by the ACME server that indicate a problem
     with the configured data now immediately switch to daily retries. For
     example: if the ACME server rejects a contact email or a domain name,
     frequent retries will most likely not solve the problem. But daily retries
     still make sense as there might be an error at the server and un-supervised
     certificate renewal is the goal. Refs #222.
     - Test case and work around for domain names > 64 octets. Fixes #227.
     When the first DNS name of an MD is longer than 63 octets, the certificate
     request will not contain a CN field, but leave it up to the CA to choose one.
     Currently, Lets Encrypt looks for a shorter name in the SAN list given and
     fails the request if none is found. But it is really up to the CA (and what
     browsers/libs accept here) and may change over the years. That is why
     the decision is best made at the CA.
     - Retry delays now have a random +/-[0-50]% modification applied to let
     retries from several servers spread out more, should they have been
     restarted at the same time of day.
     - Fixed several places where the 'badNonce' return code from an ACME server
     was not handled correctly. The test server 'pebble' simulates this behaviour
     by default and helps nicely in verifying this behaviour. Thanks, pebble!
     - Set the default `MDActivationDelay` to 0. This was confusing to users that
     new certificates were deemed not usably before a day of delay. When clocks are
     correct, using a new certificate right away should not pose a problem.
     - When handling ACME authorization resources, the module no longer requires
     the server to return a "Location" header, as was necessary in ACMEv1.
     Fixes #216.
     - Fixed a theoretical uninitialized read when testing for JSON error responses
     from the ACME CA. Reported at .
     - ACME problem reports from CAs that include parameters in the Content-Type
     header are handled correctly. (Previously, the problem text would not be
     reported and retries could exceed CA limits.)
     - Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
     Previously, an empty JSON object was sent - which apparently LE accepted,
     but others reject.
     [Stefan Eissing, @tlhackque, Andreas Ulm]

Changes with Apache 2.4.47

  *) mod_dav_fs: Improve logging output when failing to open files for
     writing.  PR 64413.  [Bingyu Shen ]

  *) mod_http2: Fixed a race condition that could lead to streams being
     aborted (RST to the client), although a response had been produced.
     [Stefan Eissing]

  *) mod_lua: Add support to Lua 5.4  [Joe Orton, Giovanni Bechis, Ruediger Pluem]

  *) MPM event/worker: Fix possible crash in child process on early signal
     delivery.  PR 64533.  [Ruediger Pluem]

  *) mod_http2: sync with github standalone version 1.15.17
     - Log requests and sent the configured error response in case of early detected
       errors like too many or too long headers. [Ruediger Pluem]
     - new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
       The default is on, which is the behaviour of older mod-h2 versions. When off, all
       bytes are made available immediately to the main connection for sending them
       out to the client. This fixes interop issues with certain flavours of gRPC, see
       also .
       [Stefan Eissing]

  *) mod_unique_id: Fix potential duplicated ID generation under heavy load.
     PR 65159
     [Jonas Müntener , Christophe Jaillet]

  *) "[mod_dav_fs etag handling] should really honor the FileETag setting".
     - It now does.
     - Add "Digest" to FileETag directive, allowing a strong ETag to be
       generated using a file digest.
     - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
       ETag generation.
     - Add concept of "binary notes" to request_rec, allowing packed bit flags
       to be added to a request.
     - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
       the ETag to a strong ETag to comply with RFC requirements, such as those
       mandated by various WebDAV extensions.
     [Graham Leggett]

  *) mod_proxy_http: Fix a possibly crash when the origin connection gets
     interrupted before completion.  PR 64234.
     [Barnim Dzwillo , Ruediger Pluem]

  *) mod_ssl: Do not keep connections to OCSP responders alive when doing
     OCSP requests.  PR 64135.  [Ruediger Pluem]

  *) mod_ssl: Improve the coalescing filter to buffer into larger TLS
     records, and avoid revealing the HTTP header size via TLS record
     boundaries (for common response generators).
     [Joe Orton, Ruediger Pluem]

  *) mod_proxy_hcheck: Don't pile up health checks if the previous one did
     not finish before hcinterval.  PR 63010.  [Yann Ylavic]

  *) mod_session: Improve session parsing.  [Yann Yalvic]

  *) mod_authnz_ldap: Prevent authentications with empty passwords for the
     initial bind to fail with status 500. [Ruediger Pluem]

  *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
     the format can't match anyway.  [Yann Ylavic]

  *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
     Transfer-Encoding from the client, spooling the request body when needed
     to provide a Content-Length to the backend.  PR 57087.  [Yann Ylavic]

  *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
     proxy_util.  [Yann Ylavic]

  *) mod_proxy: Improve tunneling loop to support half closed connections and
     pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]

  *) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
     and switched protocol forwarding.  [Yann Ylavic]

  *) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
     allowing for (non-)Upgrade negotiation with the origin server.
     [Yann Ylavic]

  *) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
     codes.  PR63628. [Martin Drößler ]

  *) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
     directives.  [Yann Ylavic]

  *) core: Ensure that aborted connections are logged as such. PR 62823
     [Arnaud Grandville ]

  *) http: Allow unknown response status' lines returned in the form of
     "HTTP/x.x xxx Status xxx".  [Yann Ylavic]

  *) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
     leading to Request Timeout (408).  PR 63855.  [Yann Ylavic]

  *) core: Remove headers on 304 Not Modified as specified by RFC7234, as
     opposed to passing an explicit subset of headers. PR 61820.
     [Giovanni Bechis]

  *) mpm_event: Don't reset connections after lingering close, restoring prior
     to 2.4.28 behaviour.  [Yann Ylavic]

  *) mpm_event: Kill connections in keepalive state only when there is no more
     workers available, not when the maximum number of connections is reached,
     restoring prior to 2.4.30 behaviour.  [Yann Ylavic]

  *) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
     avoiding the use of '@'.  PR 57044.
     [Michael Kaufmann ]

  *) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
     SameSite attribute. [Eric Covener]

  *) mod_proxy: Add proxy check_trans hook.  This allows proxy
     modules to decline request handling at early stage.

  *) mod_proxy_wstunnel: Decline requests without an Upgrade
     header so ws/wss can be enabled overlapping with later
     http/https.

  *) mod_http2: Log requests and sent the configured error response in case of
     early detected errors like too many or too long headers.
     [Ruediger Pluem, Stefan Eissing]

  *) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
     as proposed by . [Stefan Eissing]

  *) mod_ssl: Fix request body buffering with PHA in TLSv1.3.  [Joe Orton]

  *) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
     value. PR 64598 [Ruediger Pluem]

  *) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
     substitution, such that they apply to the backend connection.  Note that
     connection reuse is disabled by default to avoid compatibility issues.
     [Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]

13 thoughts on “Apache httpd 2.4.48 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1k with http2, mod_http2 1.15.19 and ALPN for Red Hat Enterprise Linux 7 and CentOS 7”

  1. After upgrading everything (yum update -y; reboot) on a CentOS 7 server which uses Apache, I’m getting this:

    $ /usr/sbin/apachectl configtest
    httpd: Syntax error on line 1 of /etc/httpd/conf/httpd.conf:
    Syntax error on line 63 of /etc/httpd/conf.modules.d/000-web-base.conf:
    Cannot load modules/mod_http2.so into server: /etc/httpd/modules/mod_http2.so:
    undefined symbol: EVP_MD_CTX_new

    I have Apache from CodeIT’s repository.
    Do you know what the error above means? It works if I simply remove the “mod_http2” module, but this obviously isn’t ideal as I won’t benefit from HTTP2.

    Server Version: Apache/2.4.48 (codeit) OpenSSL/1.1.1l
    Server MPM: event
    Server Built: May 26 2021 11:40:06

    openssl:

    # openssl version
    OpenSSL 1.0.2k-fips 26 Jan 2017

    While Apache says:

    OpenSSL/1.1.1l
    So something doesn’t seem to be right!

    1. I resolved by downgrading to previous version:

      # yum downgrade mod_http2-1.15.23

      Removed:
      mod_http2.x86_64 0:1.15.24-1.codeit

      Installed:
      mod_http2.x86_64 0:1.15.23-1.codeit

      Complete!

      # /usr/sbin/apachectl configtest
      Syntax OK

      # systemctl restart httpd

      (full restart is required rather than graceful reload, otherwise we’ll get “exit signal Segmentation fault (11)”)

      1. Hey! Nice one.

        Any idea if my issue with “mod_http2” may be resolved on a newer version of mod_http2?
        (the one I reported a few days ago above)

        Thanks! Good day.

        1. Hey Nuno,

          We do not experience similar issues. Probably you have concurrent openssl 1.1.x library installed somewhere in your system?
          The easiest way is to provide steps to reproduce the issue on newly installed CentOS 7.

          1. CentOS itself has “OpenSSL 1.0.2k-fips” installed, but Apache’s mod_http2 (from CodeIT) seems to require “OpenSSL/1.1.1l”.

            My understanding is that Apache itself has its own “OpenSSL/1.1.1l” bundled?
            How can I made “mod_http2” use that one instead?

            And any idea why the previous version works, but just the latest version doesn’t?

            Thanks much!

          2. Of course 1.0.2 bundled with CentOS is OK, but you can have any other openssl 1.1.x libraries installed (e.g. openssl11-libs from epel). We never tested mod_ssl and mod_http2 with epel openssl11-libs.

            Please also try to update our openssl111-libs package to the latest version. It’s not bundled now: it’s a separate package.

            I have the idea why latest version is broken for you: apache httpd developers did an extremely massive rework in the latest version to avoid deprecation warnings and switch to using OpenSSL EVP_* API to avoid deprecation warnings with OpenSSL 3.0. Thus, new APIs are in use and probably they are not available in your library version.

          3. Thanks!

            Seems “openssl11-libs” finds epel,
            “openssl111-libs” finds CodeIT.
            Only “openssl111-libs” says “installed”.

            But “mod_http2” doesn’t seem to find it… and I have no idea how I can make it use “openssl111” 🙂

            # yum info openssl11-libs
            Loaded plugins: changelog, copr, fastestmirror, langpacks
            Loading mirror speeds from cached hostfile
            * base: mirror.phx1.us.spryservers.net
            * epel: d2lzkl7pfhq30w.cloudfront.net
            * extras: mirrors.sonic.net
            * remi: mirror.bebout.net
            * remi-safe: mirror.bebout.net
            * rpmfusion-free-updates: muug.ca
            * updates: mirrors.ocf.berkeley.edu
            Available Packages
            Name : openssl11-libs
            Arch : x86_64
            Epoch : 1
            Version : 1.1.1g
            Release : 3.el7
            Size : 1.5 M
            Repo : epel/x86_64
            Summary : A general purpose cryptography library with TLS implementation
            URL : http://www.openssl.org/
            License : OpenSSL and ASL 2.0
            Description : OpenSSL is a toolkit for supporting cryptography. The openssl11-libs
            : package contains the libraries that are used by various applications which
            : support cryptographic algorithms and protocols.

            # yum info openssl111-libs
            Loaded plugins: changelog, copr, fastestmirror, langpacks
            Loading mirror speeds from cached hostfile
            * base: mirror.phx1.us.spryservers.net
            * epel: d2lzkl7pfhq30w.cloudfront.net
            * extras: mirrors.sonic.net
            * remi: mirror.bebout.net
            * remi-safe: mirror.bebout.net
            * rpmfusion-free-updates: muug.ca
            * updates: mirrors.ocf.berkeley.edu
            Installed Packages
            Name : openssl111-libs
            Arch : x86_64
            Version : 1.1.1l
            Release : 1.codeit.el7
            Size : 3.5 M
            Repo : installed
            From repo : CodeIT
            Summary : A general purpose cryptography library with TLS implementation
            URL : http://www.openssl.org/
            License : OpenSSL
            Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
            : package contains the libraries that are used by various applications which
            : support cryptographic algorithms and protocols.

          4. Seems to say installed, anyway!

            But the “Name” field doesn’t include the “L”:

            # yum info openssl111-libs-1.1.1l
            Loaded plugins: changelog, copr, fastestmirror, langpacks
            Loading mirror speeds from cached hostfile
            * base: mirror.phx1.us.spryservers.net
            * epel: d2lzkl7pfhq30w.cloudfront.net
            * extras: mirrors.sonic.net
            * remi: mirror.bebout.net
            * remi-safe: mirror.bebout.net
            * rpmfusion-free-updates: muug.ca
            * updates: mirrors.ocf.berkeley.edu
            Installed Packages
            Name : openssl111-libs
            Arch : x86_64
            Version : 1.1.1l
            Release : 1.codeit.el7
            Size : 3.5 M
            Repo : installed
            From repo : CodeIT
            Summary : A general purpose cryptography library with TLS implementation
            URL : http://www.openssl.org/
            License : OpenSSL
            Description : OpenSSL is a toolkit for supporting cryptography. The openssl-libs
            : package contains the libraries that are used by various
            : applications which support cryptographic algorithms and protocols.

          5. The setup seems to be correct. Are you able to install the same distribution with “minimal” setup to the empty VM and install httpd from CodeIT repo to try to reproduce the problem?

Leave a Reply

Your email address will not be published. Required fields are marked *