Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.57-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.8.

We build OpenSSL+QUIC 3.0.8 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9: 4 комментария

  1. I get this error when trying to install httpd and mod_ssl on RHEL9

    Problem: cannot install the best candidate for the job
    — nothing provides httpd = 2.4.56-1.codeit.el9 needed by mod_ssl-1:2.4.56-1.codeit.el9.x86_64
    (try to add ‘—skip-broken’ to skip uninstallable packages or ‘—nobest’ to use not only best candidate packages)

    # cat /etc/yum.repos.d/codeit.repo
    name=CodeIT repo

    name=CodeIT mainline repo

    name=CodeIT testing repo

  2. According to CVE-2023-0465, Openssl versions 3.0.0 to 3.0.8 are vulnerable. In order to resolve this issue, we need version 3.0.9 or higher. When will the updated version of Openssl be available? The Nessus scan results are shown below,

    OpenSSL 3.0.0 < 3.0.9 Multiple Vulnerabilities

    The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.

    — A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)

    Upgrade to OpenSSL version 3.0.9 or later.

    Banner : Apache/2.4.57 (codeit) OpenSSL/3.0.8+quic PHP/8.2.4
    Reported version : 3.0.8
    Fixed version : 3.0.9

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *