Apache httpd 2.4.57-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.8.
We build OpenSSL+QUIC 3.0.8 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:
dnf module enable httpd:codeit
Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
I get this error when trying to install httpd and mod_ssl on RHEL9
Error:
Problem: cannot install the best candidate for the job
— nothing provides httpd = 2.4.56-1.codeit.el9 needed by mod_ssl-1:2.4.56-1.codeit.el9.x86_64
(try to add ‘—skip-broken’ to skip uninstallable packages or ‘—nobest’ to use not only best candidate packages)
# cat /etc/yum.repos.d/codeit.repo
[CodeIT]
name=CodeIT repo
baseurl=https://repo.codeit.guru/packages/centos/$releasever/$basearch
enabled=1
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
gpgcheck=1
[CodeIT-mainline]
name=CodeIT mainline repo
baseurl=https://repo.codeit.guru/packages/mainline/centos/$releasever/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
gpgcheck=1
[CodeIT-testing]
name=CodeIT testing repo
baseurl=https://repo.codeit.guru/packages/testing/$releasever/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
gpgcheck=1
Hello, did you run:
dnf module enable -y httpd:codeit?
According to CVE-2023-0465, Openssl versions 3.0.0 to 3.0.8 are vulnerable. In order to resolve this issue, we need version 3.0.9 or higher. When will the updated version of Openssl be available? The Nessus scan results are shown below,
OpenSSL 3.0.0 < 3.0.9 Multiple Vulnerabilities
Description
The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.
— A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)
Solution
Upgrade to OpenSSL version 3.0.9 or later.
Banner : Apache/2.4.57 (codeit) OpenSSL/3.0.8+quic PHP/8.2.4
Reported version : 3.0.8
Fixed version : 3.0.9
Hello, according to https://www.openssl.org/source/ 3.0.9 was not yet released. What exactly do you want us to build?
Hello, OpenSSL 3.0.9 is now available. Can you upgrade to OpenSSL version 3.0.9?
Thank you so much.
Hello, we released 3.0.9 builds a while ago.
I meant about OpenSSL version through which you built httpd 2.4.57.
There’s no need to rebuild httpd, as library’s ABI is the same. Just upgrade the library.
Hello-
I got apache 2.4 to install on Amazon Linux 2 with your packages. I am also able to get openssl1.1.1x installed with their epel repo.
I picked the latest version of your http24 (httpd-2.4.57-1.codeit.el7.x86_64.rpm) and it started looking for openssl 3.0.x dependencies. Is the most recent version that supports openssl 1.1.1 httpd-2.4.46-1.codeit.el7.x86_64.rpm?
Thanks!
Hello Alex,
We need specific package, openssl-quic-libs from our repo, not usual openssl.
Please do not install outdated vulnerable httpd 2.4.46. Always use latest versions without known vulnerabilities.
Thanks, Alexander. For Amazon Linux 2 I kept getting an invalid URL for the repo. Because of that I ended up installing the packages via the URL to the RPM with yum. That would make it so that the pacakges would be upgraded (downgraded) back to the Amazon repos with higher priority after they were installed. I ended up hardcoding the $releasever value in the URL to the repo to 7 (it detects as 2 due to Amazon Linux «2»). I then set a priority level to 9 (one under the Amazon repo value of 10) to make it prefer your repo. This is the final repo file:
[CodeIT]
name=CodeIT repo
priority=9
baseurl=https://repo.codeit.guru/packages/centos/7/$basearch
enabled=1
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
gpgcheck=1
[CodeIT-mainline]
name=CodeIT mainline repo
priority=9
baseurl=https://repo.codeit.guru/packages/mainline/centos/7/$basearch
enabled=1
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
gpgcheck=1
[CodeIT-quic]
name=CodeIT mainline repo
priority=9
baseurl=https://repo.codeit.guru/packages/quic/7/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
gpgcheck=1
[CodeIT-testing]
name=CodeIT testing repo
priority=9
baseurl=https://repo.codeit.guru/packages/testing/7/$basearch
enabled=0
gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
gpgcheck=1
Now all packages are installed by your REPO with the standard yum install httpd and mod_ssl.
Thanks for the great work and help!
Alex, we do not support any rpm repo. I am aware that Amazon linux is not compatible with Redhat enterprise linux and thus we cannot guarantee that every dependency can be satisfied.
I never tested our repo on Amazon linux, but you can hardcode/replace $releasever or 7 in your example with 8 or 9.
But if you want to use our repo, please set up a new instance with a supported OS
My apololgies for the confusion… I meant I was installing your packages with commands like:
«yum install https://repo.codeit.guru/packages/centos/7/x86_64/httpd-2.4.57-1.codeit.el7.x86_64.rpm»
Thanks for the other information.
Hello Alexander, how can we upgrade the library?
Hello Ruben Alexsander!
Do you mean openssl?
dnf upgrade openssl-quic-libsFound this elsewhere as well, but w/o solution. I am on Centos Stream 8 and if I want to enable httpd from codeit, this happens:
$ sudo dnf module enable -y httpd:codeit
Last metadata expiration check: 1:49:22 ago on Tue 04 Jul 2023 01:54:36 PM CEST.
Error: Problems in request:
Modular dependency problems:
Problem: module php:7.4:8070020220804152218:afd00e68.x86_64 from appstream requires module(httpd:2.4), but none of the providers can be installed
— module httpd:2.4:8030020200831193443:30b713e6.x86_64 from appstream conflicts with module(httpd:codeit) provided by httpd:codeit:1:el8.x86_64 from CodeIT
— module httpd:codeit:1:el8.x86_64 from CodeIT conflicts with module(httpd:2.4) provided by httpd:2.4:8030020200831193443:30b713e6.x86_64 from appstream
— module httpd:2.4:8040020210520041022:9f9e2e7e.x86_64 from appstream conflicts with module(httpd:codeit) provided by httpd:codeit:1:el8.x86_64 from CodeIT
…
Bart,
This is the requirement from appstream, so I cannot propose any solution for php:7.4 stream.
Instead, you can use Remi (Fedora packager) php packages with great stability.
Can this version run PHP8?
Yes
On Centos 7?
And yes.