Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.57-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.8.

We build OpenSSL+QUIC 3.0.8 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9: 16 комментариев

  1. I get this error when trying to install httpd and mod_ssl on RHEL9

    Error:
    Problem: cannot install the best candidate for the job
    — nothing provides httpd = 2.4.56-1.codeit.el9 needed by mod_ssl-1:2.4.56-1.codeit.el9.x86_64
    (try to add ‘—skip-broken’ to skip uninstallable packages or ‘—nobest’ to use not only best candidate packages)

    # cat /etc/yum.repos.d/codeit.repo
    [CodeIT]
    name=CodeIT repo
    baseurl=https://repo.codeit.guru/packages/centos/$releasever/$basearch
    enabled=1
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
    gpgcheck=1

    [CodeIT-mainline]
    name=CodeIT mainline repo
    baseurl=https://repo.codeit.guru/packages/mainline/centos/$releasever/$basearch
    enabled=0
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
    gpgcheck=1

    [CodeIT-testing]
    name=CodeIT testing repo
    baseurl=https://repo.codeit.guru/packages/testing/$releasever/$basearch
    enabled=0
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
    gpgcheck=1

  2. According to CVE-2023-0465, Openssl versions 3.0.0 to 3.0.8 are vulnerable. In order to resolve this issue, we need version 3.0.9 or higher. When will the updated version of Openssl be available? The Nessus scan results are shown below,

    OpenSSL 3.0.0 < 3.0.9 Multiple Vulnerabilities

    Description
    The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.

    — A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)

    Solution
    Upgrade to OpenSSL version 3.0.9 or later.

    Banner : Apache/2.4.57 (codeit) OpenSSL/3.0.8+quic PHP/8.2.4
    Reported version : 3.0.8
    Fixed version : 3.0.9

  3. Found this elsewhere as well, but w/o solution. I am on Centos Stream 8 and if I want to enable httpd from codeit, this happens:
    $ sudo dnf module enable -y httpd:codeit
    Last metadata expiration check: 1:49:22 ago on Tue 04 Jul 2023 01:54:36 PM CEST.
    Error: Problems in request:
    Modular dependency problems:

    Problem: module php:7.4:8070020220804152218:afd00e68.x86_64 from appstream requires module(httpd:2.4), but none of the providers can be installed
    — module httpd:2.4:8030020200831193443:30b713e6.x86_64 from appstream conflicts with module(httpd:codeit) provided by httpd:codeit:1:el8.x86_64 from CodeIT
    — module httpd:codeit:1:el8.x86_64 from CodeIT conflicts with module(httpd:2.4) provided by httpd:2.4:8030020200831193443:30b713e6.x86_64 from appstream
    — module httpd:2.4:8040020210520041022:9f9e2e7e.x86_64 from appstream conflicts with module(httpd:codeit) provided by httpd:codeit:1:el8.x86_64 from CodeIT

Добавить комментарий для Jegan Отменить ответ

Ваш адрес email не будет опубликован. Обязательные поля помечены *