Apache httpd 2.4.56 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1t with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9 and CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.56-1 with brotli compression library from Google, TLS 1.3 Final (RFC 8446), http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8, Rocky Linux 8 added to repository. mod_http2 2.0.13 is built dynamically against OpenSSL 1.1.1t.

Fixed vulnerabilities:

  • CVE-2023-27522: HTTP response smuggling bug
  • CVE-2023-25690: HTTP request smuggling vulnerability

We build OpenSSL+QUIC 1.1.1 separately since v2.4.53-2, installing it separately to /lib64 with .so.81.1.1 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages.

On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like <pre>AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript</pre>

3 thoughts on “Apache httpd 2.4.56 with brotli support, TLS 1.3 final (RFC 8446) built against OpenSSL 1.1.1t with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9 and CentOS 7, Alma Linux 8/9, Rocky Linux 8/9”

  1. Hi Alexander,

    I did a “yum update httpd” and “dnf update httpd” on my CentOS7 and Rocky8 servers.
    On both servers, my httpd changed from 2.4.55 to 2.4.56, which is good.
    But the OpenSSL/1.1.1q+quic remains as version 1.1.1q+.

    I already did “dnf module enable httpd:codeit” and “yum upgrade openssl111-libs”.

    How can I get the OpenSSL to version 1.1.1t, please?

    Thanks,
    Jonah

  2. Oops, sorry, I just found out by chance.

    I had to do “yum update openssl-quic-libs.x86_64” to get latest OpenSSL library.

    Thanks,
    Jonah

Leave a Reply

Your email address will not be published. Required fields are marked *