Apache httpd 2.4.38 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1a with http2 and ALPN for Red Hat Enterprise Linux and CentOS

Apache httpd 2.4.38 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS added to repository. Mod_ssl is built statically against OpenSSL 1.1.1a.

Links:

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default.

Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+.

brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Http2 Apache httpd module no longer supports prefork mpm from version 2.4.27. If you need http2 module, please disable prefork mpm and enable evemt mpm in /etc/httpd/conf.modules.d/00-mpm.conf. We already made this in 00-mpm.conf in our packages. If you are updating other vendor installation, please update this file.

For correct work with SELinux please update the following boolean:

setsebool -P httpd_execmem=1

Feel free to use our CentOS/RHEL repository. Please also note that this package depends on apr-util 1.5.0+ and libnghttp, which you can found in EPEL repository. So, the easiest way to use our builds of Apache HTTPd is to add EPEL repository, if you still do not have it: yum install -y epel-release

7 thoughts on “Apache httpd 2.4.38 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1a with http2 and ALPN for Red Hat Enterprise Linux and CentOS”

  1. I have downloaded your SRPM for Centos 7 and am trying to build our own version. This is just so that we can validate the patches and the original apache source for PCI DSS reasons.
    I have disabled http2 and brotli support. I also downloaded a slightly later version of openssl and compiled that and updated the path in your spec file. A diff of your spec file is shown below so you can see exactly what we changed.
    The issue that we are having is that mod_ssl and httpd_tools have a dependency on libssl.so.1.1 and libcrypto.so.1.1 when we then go to install the rpm files so it looks like the srpm is not setup to statically link to openssl?

    Any suggestions?

    Thanks
    Gareth

    82c82
    BuildRequires: zlib-devel, libselinux-devel, lua-devel
    86c86
    Obsoletes: httpd-suexec
    92c92
    #Requires: mod_http2
    275,276c275,276
    < export CFLAGS="$RPM_OPT_FLAGS -I/root/openssl-1.1.1a"
    export CFLAGS=”$RPM_OPT_FLAGS -I/home/rpmbuild/openssl-1.1.1b”
    > export LDFLAGS=”-Wl,-z,relro,-z,now -L/home/rpmbuild/openssl-1.1.1b”
    305d304
    < –with-brotli \
    309c308
    –enable-ssl –with-ssl=/home/rpmbuild/openssl-1.1.1b –disable-distcache \

    1. Gareth, please try to change dir to /home/rpmbuild/openssl-1.1.1b and configure it with “no-shared” option that disables shared objects (only a static library is created).
      Then run make.

      After these steps please try to build httpd again.

      1. Thank you very much for that.
        The first time it didn’t compile. I did a ‘make clean’ to start again from fresh and then it compiled fine and after rebuilding the rpm it installed without any dependency issues.

  2. Hi Alex,

    Apache 2.4.39 is released by yesterday. Do you think if it’s possible that we’re able to get this version from your repo soon?

Leave a Reply

Your email address will not be published. Required fields are marked *