Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.57-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.8.

We build OpenSSL+QUIC 3.0.8 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Apache httpd 2.4.57 with brotli support, TLS 1.3, OpenSSL 3.0.8 with http2, mod_http2 2.0.13 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9: 21 комментарий

  1. I get this error when trying to install httpd and mod_ssl on RHEL9

    Error:
    Problem: cannot install the best candidate for the job
    — nothing provides httpd = 2.4.56-1.codeit.el9 needed by mod_ssl-1:2.4.56-1.codeit.el9.x86_64
    (try to add ‘—skip-broken’ to skip uninstallable packages or ‘—nobest’ to use not only best candidate packages)

    # cat /etc/yum.repos.d/codeit.repo
    [CodeIT]
    name=CodeIT repo
    baseurl=https://repo.codeit.guru/packages/centos/$releasever/$basearch
    enabled=1
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
    gpgcheck=1

    [CodeIT-mainline]
    name=CodeIT mainline repo
    baseurl=https://repo.codeit.guru/packages/mainline/centos/$releasever/$basearch
    enabled=0
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
    gpgcheck=1

    [CodeIT-testing]
    name=CodeIT testing repo
    baseurl=https://repo.codeit.guru/packages/testing/$releasever/$basearch
    enabled=0
    gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-el$releasever
    gpgcheck=1

  2. According to CVE-2023-0465, Openssl versions 3.0.0 to 3.0.8 are vulnerable. In order to resolve this issue, we need version 3.0.9 or higher. When will the updated version of Openssl be available? The Nessus scan results are shown below,

    OpenSSL 3.0.0 < 3.0.9 Multiple Vulnerabilities

    Description
    The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.

    — A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)

    Solution
    Upgrade to OpenSSL version 3.0.9 or later.

    Banner : Apache/2.4.57 (codeit) OpenSSL/3.0.8+quic PHP/8.2.4
    Reported version : 3.0.8
    Fixed version : 3.0.9

  3. Hello-

    I got apache 2.4 to install on Amazon Linux 2 with your packages. I am also able to get openssl1.1.1x installed with their epel repo.

    I picked the latest version of your http24 (httpd-2.4.57-1.codeit.el7.x86_64.rpm) and it started looking for openssl 3.0.x dependencies. Is the most recent version that supports openssl 1.1.1 httpd-2.4.46-1.codeit.el7.x86_64.rpm?

    Thanks!

      1. Thanks, Alexander. For Amazon Linux 2 I kept getting an invalid URL for the repo. Because of that I ended up installing the packages via the URL to the RPM with yum. That would make it so that the pacakges would be upgraded (downgraded) back to the Amazon repos with higher priority after they were installed. I ended up hardcoding the $releasever value in the URL to the repo to 7 (it detects as 2 due to Amazon Linux «2»). I then set a priority level to 9 (one under the Amazon repo value of 10) to make it prefer your repo. This is the final repo file:

        [CodeIT]
        name=CodeIT repo
        priority=9
        baseurl=https://repo.codeit.guru/packages/centos/7/$basearch
        enabled=1
        gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
        gpgcheck=1

        [CodeIT-mainline]
        name=CodeIT mainline repo
        priority=9
        baseurl=https://repo.codeit.guru/packages/mainline/centos/7/$basearch
        enabled=1
        gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
        gpgcheck=1

        [CodeIT-quic]
        name=CodeIT mainline repo
        priority=9
        baseurl=https://repo.codeit.guru/packages/quic/7/$basearch
        enabled=0
        gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
        gpgcheck=1

        [CodeIT-testing]
        name=CodeIT testing repo
        priority=9
        baseurl=https://repo.codeit.guru/packages/testing/7/$basearch
        enabled=0
        gpgkey=https://repo.codeit.guru/RPM-GPG-KEY-codeit
        gpgcheck=1

        Now all packages are installed by your REPO with the standard yum install httpd and mod_ssl.

        Thanks for the great work and help!

        1. Alex, we do not support any rpm repo. I am aware that Amazon linux is not compatible with Redhat enterprise linux and thus we cannot guarantee that every dependency can be satisfied.
          I never tested our repo on Amazon linux, but you can hardcode/replace $releasever or 7 in your example with 8 or 9.

          But if you want to use our repo, please set up a new instance with a supported OS

  4. Found this elsewhere as well, but w/o solution. I am on Centos Stream 8 and if I want to enable httpd from codeit, this happens:
    $ sudo dnf module enable -y httpd:codeit
    Last metadata expiration check: 1:49:22 ago on Tue 04 Jul 2023 01:54:36 PM CEST.
    Error: Problems in request:
    Modular dependency problems:

    Problem: module php:7.4:8070020220804152218:afd00e68.x86_64 from appstream requires module(httpd:2.4), but none of the providers can be installed
    — module httpd:2.4:8030020200831193443:30b713e6.x86_64 from appstream conflicts with module(httpd:codeit) provided by httpd:codeit:1:el8.x86_64 from CodeIT
    — module httpd:codeit:1:el8.x86_64 from CodeIT conflicts with module(httpd:2.4) provided by httpd:2.4:8030020200831193443:30b713e6.x86_64 from appstream
    — module httpd:2.4:8040020210520041022:9f9e2e7e.x86_64 from appstream conflicts with module(httpd:codeit) provided by httpd:codeit:1:el8.x86_64 from CodeIT

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *