Apache httpd 2.4.57-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.8.
We build OpenSSL+QUIC 3.0.8 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:
dnf module enable httpd:codeit
Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
I get this error when trying to install httpd and mod_ssl on RHEL9
Error:
Problem: cannot install the best candidate for the job
— nothing provides httpd = 2.4.56-1.codeit.el9 needed by mod_ssl-1:2.4.56-1.codeit.el9.x86_64
(try to add ‘—skip-broken’ to skip uninstallable packages or ‘—nobest’ to use not only best candidate packages)
# cat /etc/yum.repos.d/codeit.repo
[CodeIT]
name=CodeIT repo
baseurl=https://repo.codeit.guru/packages/centos/$releasever/$basearch
enabled=1
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
gpgcheck=1
[CodeIT-mainline]
name=CodeIT mainline repo
baseurl=https://repo.codeit.guru/packages/mainline/centos/$releasever/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
gpgcheck=1
[CodeIT-testing]
name=CodeIT testing repo
baseurl=https://repo.codeit.guru/packages/testing/$releasever/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
gpgcheck=1
Hello, did you run:
dnf module enable -y httpd:codeit?
According to CVE-2023-0465, Openssl versions 3.0.0 to 3.0.8 are vulnerable. In order to resolve this issue, we need version 3.0.9 or higher. When will the updated version of Openssl be available? The Nessus scan results are shown below,
OpenSSL 3.0.0 < 3.0.9 Multiple Vulnerabilities
Description
The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.
— A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)
Solution
Upgrade to OpenSSL version 3.0.9 or later.
Banner : Apache/2.4.57 (codeit) OpenSSL/3.0.8+quic PHP/8.2.4
Reported version : 3.0.8
Fixed version : 3.0.9
Hello, according to https://www.openssl.org/source/ 3.0.9 was not yet released. What exactly do you want us to build?