Apache httpd 2.4.29 with http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.1.0g. Links:
Yes, since this release we start building Apache httpd against OpenSSL 1.1.0.
Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27, we experienced crashes with it in 2.4.26 and decided to keep builds private. If you need http2 module, please disable prefork mpm and enable worker mpm in /etc/httpd/conf.modules.d/00-mpm.conf.
We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.
For correct work with SELinux please update the following boolean:
setsebool -P httpd_execmem=1
Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release
Hi, Alexander! Thanks for your efforts supporting Apache packages!
Could you add also OpenSSL 1.1.0g rmp package for CentOS 7.4? Manual installs like https://codeinpython.blogspot.com/2017/06/how-to-install-openssl-110-on-centos-7.html doesn’t work, stuck with OpenSSL 1.0.2.
Hi Binyamin!
Idea to build Apache httpd with statically linked OpenSSL 1.0.2 / 1.1.0 was successful because we don’t need to replace system OpenSSL. Of course we easily build OpenSSL 1.0.2 or 1.1.0 on EL 7 platform but if you really plan to replace officially supplied version, many many things will be broken.
And yes, if you need it, it will be ok to keep it in /usr/local (this will be so if you will simply build it without any configuration) so it won’t affect your system.
I don’t think we will support standalone OpenSSL version as soon as we link it statically.
Done updates look all ok.
Thanks
Hi and thanks for awesome work. Have you planned to build 2.4.29 agains OpenSSL 1.0.2k, which is the default in CentOS 7.4?
Hi Rics,
No, we don’t, as we are trying to support EL 7.3 too at this moment.
Are there reasons to have separate build (dynamically linked against 1.0.2)?
I thought that Apache should be always build with the same OpenSSL version that OS has. So is it ok to use in production Apache with OpenSSL 1.1.0g with CentOS OpenSSL 1.0.2k?
Thanks!
Yes, sure.
We build Apache and NGINX and do not rely on specific OpenSSL version that is bundled with OS.
Hi Alexander!
Out of interest, which config options you are using when building static OpenSSL?
Hi Rics!
It’s minimum required: all defaults + no-shared + fPIC.
Any chance you could enable mod_brotli ? I see that you do for nginx and it would be a nice feature to have.
Thank you for suggestion, Jonathan. I will check if we will able to include it in next version.
Hello,
thank you for your work. I have question. I’m trying enable http 2.0 for virtual host. But I’m not sucessful. In online test sites server is Http2.0 ready – but when I see requests in browser via network console I see that http 1 is used only.
Can you say me why please?
Protocols h2 http/1.1
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
….
Thanks
Pavel
Hello Pavel,
First, you need to check if your browser is compiled against TLS 1.0.2+ compatible libraries. So we need more details like OS/version, browser and its version and full URL you are checking.
I suspect problem can be on your side or network (e.g. transparent proxies can break TLS ALPN negotiation).
Hello,
I tried FF 58.0.2 64b, Edge 41.16299.248.0. You can try it here – (removed by Alexander) (please after read it, delete this URL from this post).
Thank you
Pavel
Hello. Done.
Works fine for me:
Thanky for your check. Where can be problem please? I tried other computer now + Chrome. WIthout effect. Still http 1.0. Any idea for this?
OK, I have it! Bitdeffender with SSL Scan on is problem.
Nice! My congratulations
Hi,
I am trying to compile Apache 2.4.33 with OpenSSL 1.1.0h. But i keep getting this error message. I have been trying to go pass this issue for last 2 weeks. Can you please advice what i should be doing here ? Apologies if it is outside of the work published here.
libapr-1.la -luuid -lrt -lcrypt -lpthread -lm -lssl -lcrypto -luuid -lrt -lcrypt -lthread
ab.c: In function `ssl_print_cert_info’:
ab.c:649 undefined reference to `X509_get_version’
ab.c:651 undefined reference to `X509_getm_notBefore’
ab.c:655 undefined reference to `X509_getm_notAfter’
ab.c:571 undefined reference to `SSL_in_init’
ab.c:571 undefined reference to `SSL_is_server’
x509.h:97 undefined reference to `OPENSSL_sk_num’
x509.h:97 undefined reference to `OPENSSL_sk_value’
ab.c:1941 undefined reference to `SSL_in_init`
…..
…
…
collect2: ld returned 1 exit status
make[2] *** [ab] Error 1
make[2]: Leaving directory ‘/local/apache24buildx64/http-2.4.33/support’
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory ‘/local/apache24buildx64/httpd-2.4.33/support’
make: *** [install-recursive] Error 1
I love reading through and I believe this website got some genuinely utilitarian stuff on it! .