Apache httpd 2.4.43-4, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1g, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS

В репозиторий добавлен Apache httpd 2.4.43-4 с поддержкой сжатия brotli от Google, http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран динамически с OpenSSL 1.1.1g. Ссылки:

Заметим, что httpd 2.4.43 поддерживает TLS 1.3 при сборке с OpenSSL 1.1.1. Все новые шифры включены и работают.
C версии 2.4.43-4 мы собираем OpenSSL отдельно, он устанавливается в /opt/codeit/openssl111 и никак не затрагивает системные библиотеки.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

Для работы с SELinux в rpm включена соответствующая минимальная политика.

Модуль brotli уже включён в базовый RPM. Всё, что нужно — настроить фильтр

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.43-4, собранный с Brotli, TLS 1.3 final (RFC 8446), OpenSSL 1.1.1g, ALPN и поддержкой http2 для Red Hat Enterprise Linux и CentOS: 13 комментариев

  1. Dear Friends

    After installing 2.4.43-4, I have got an error with SSLCompression off after restarting httpd.service.

    I would be glad for your help.

    Thank you in advance for your help and support.

    Sincerely

      1. Dear Alexander

        …but in my last configuration I had line SSLCompression off, but when I try to restart httpd.service I have got an error:

        Setting Compression mode unsupported; not implemented by the SSL library

        In the older version of your 2.4.43 it was working fine with this line.

        Any idea how to resolve this?

        Sincerely

        1. Dear User,

          The purpose of our builds are the new standards: fast, modern and highly secure.
          We upgraded our builds to deliver OpenSSL library in a new dynamic way. Also, we disabled old and vulnerable features in it to additionally save traffic and memory.
          If you want to use these older deprecated features such as compression that leads to CRIME/BEAST vulnerabilities, please use the bundled Apache httpd server from CentOS team. Alternatively, you want to use our builds, please disable the compression:

          SSLCompression off

          As it is not supported in this build.

          1. Dear Alexander

            I think you may not understand me like I want to 🙂 I’m using your builds from day one. I just say, that I have already used: «SSLCompression off» in all my configuration files in vhosts. In this new build 2.4.43-4 this command «SSLCompression off» is no longer recognized, so to properly run my httpd.service I needed to delete this command «SSLCompression off» from my configuration files or just add hash «#» before it.

            The way you are trying to explain, to add «SSLCompression off» to my configuration files or ssl.conf is not working in this build.

            For a good understanding of each other. Your build is forced to use «SSLCompression off», so there is no need to use this command anymore in any configuration files, because it’s always disabled = SSLCompression off? Is it correct?

            Thank you once more for your great work.

            Sincerely

          2. Dear User,

            Thanks for clarification, indeed I did not usnerstood you right.
            Yes, OpenSSL library that we ship, does not support SSL compression and if you use our library, SSL compression is always off, even you do not explicitly specify «SSLCompression off».

  2. You should not have removed the SSLCompression option.
    It broke all our server when the update was done. And no warning. My Compression was always set to off.

    Very angry.

    But hey, I’m glad you are offering the repo free of charge.

    1. Actually we did not removed it.
      This is original Apache httpd behavior and we never had SSLCompression in sample config files and test hosts.
      Please always test your configuration after upgrade with

      httpd -t

      And restart your server only after that. Also you can have your own staging environment with similar configuration to be less angry.
      I think we will return compression support temporarily because of this regression.

          1. Well, I tested httpd -t and it worked.
            Must be a change that happend sometime ago. Or when I switched repo for yours.

            This morning my system updated to this :
            httpd x86_64 2.4.43-4.codeit.el7 CodeIT 1.4 M
            httpd-filesystem noarch 2.4.43-4.codeit.el7 CodeIT 29 k
            httpd-tools x86_64 2.4.43-4.codeit.el7 CodeIT 94 k
            mod_ssl x86_64 1:2.4.43-4.codeit.el7 CodeIT 121 k
            Installing for dependencies:
            openssl111-libs x86_64 1.1.1g-1.codeit.el7 CodeIT 1.4 M

            Works OK right now. Won’t update manually. Thanks a lot for your help

  3. Our server is crashing almost daily after we upgraded to 2.4.43-4. A lot of mpm errors and zend memory issues. Basically overnight the ram usage goes from 20% to 100% and everything crashes. The only solution is to keep rebooting constantly. Just updated to 2.4.43-5. Do you know what was fixed in this version?

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *