В репозиторий добавлен Apache httpd 2.4.29 с поддержкой http2 для Red Hat Enterprise Linux и CentOS. Mod_ssl собран статически с OpenSSL 1.1.0g. Ссылки:
Да, мы перешли на сборку Apache httpd c OpenSSL 1.1.0.
Заметим, что модуль Http2 Apache httpd с версии 2.4.27 не поддерживает prefork mpm. Ранее, в версии 2.4.26, мы наблюдали крахи с prefork и решили не выкладывать наши билды из-за них. Если вам нужен модуль mod_http2, отключите prefork mpm, включите worker mpm в /etc/httpd/conf.modules.d/00-mpm.conf
Это действите уже сделано в файле, который мы поставляем в пакете. Если вы обновляете вашу инсталляцию, обновите файл.
Для работы с SELinux установите следующий boolean:
setsebool -P httpd_execmem=1
Для инсталляции проще воспользоваться нашим репозиторием. Обращаю ваше внимание на тот факт, что в зависимостях пакета присутствуют apr-util 1.5.0+ и libnghttp, которые я бы рекомендовал взять из репозитория EPEL. Таким образом, для использования Apache HTTPd проще всего подключить репозиторий EPEL:
yum install -y epel-release
Hi, Alexander! Thanks for your efforts supporting Apache packages!
Could you add also OpenSSL 1.1.0g rmp package for CentOS 7.4? Manual installs like https://codeinpython.blogspot.com/2017/06/how-to-install-openssl-110-on-centos-7.html doesn’t work, stuck with OpenSSL 1.0.2.
Hi Binyamin!
Idea to build Apache httpd with statically linked OpenSSL 1.0.2 / 1.1.0 was successful because we don’t need to replace system OpenSSL. Of course we easily build OpenSSL 1.0.2 or 1.1.0 on EL 7 platform but if you really plan to replace officially supplied version, many many things will be broken.
And yes, if you need it, it will be ok to keep it in /usr/local (this will be so if you will simply build it without any configuration) so it won’t affect your system.
I don’t think we will support standalone OpenSSL version as soon as we link it statically.
Done updates look all ok.
Thanks 😉
Hi and thanks for awesome work. Have you planned to build 2.4.29 agains OpenSSL 1.0.2k, which is the default in CentOS 7.4?
Hi Rics,
No, we don’t, as we are trying to support EL 7.3 too at this moment.
Are there reasons to have separate build (dynamically linked against 1.0.2)?
I thought that Apache should be always build with the same OpenSSL version that OS has. So is it ok to use in production Apache with OpenSSL 1.1.0g with CentOS OpenSSL 1.0.2k?
Thanks!
Yes, sure.
We build Apache and NGINX and do not rely on specific OpenSSL version that is bundled with OS.
Hi Alexander!
Out of interest, which config options you are using when building static OpenSSL?
Hi Rics!
It’s minimum required: all defaults + no-shared + fPIC.
Any chance you could enable mod_brotli ? I see that you do for nginx and it would be a nice feature to have.
Thank you for suggestion, Jonathan. I will check if we will able to include it in next version.
Hello,
thank you for your work. I have question. I’m trying enable http 2.0 for virtual host. But I’m not sucessful. In online test sites server is Http2.0 ready — but when I see requests in browser via network console I see that http 1 is used only.
Can you say me why please?
Protocols h2 http/1.1
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
….
Thanks
Pavel
Hello Pavel,
First, you need to check if your browser is compiled against TLS 1.0.2+ compatible libraries. So we need more details like OS/version, browser and its version and full URL you are checking.
I suspect problem can be on your side or network (e.g. transparent proxies can break TLS ALPN negotiation).
Hello,
I tried FF 58.0.2 64b, Edge 41.16299.248.0. You can try it here — (removed by Alexander) (please after read it, delete this URL from this post).
Thank you
Pavel
Hello. Done.
Works fine for me:
Thanky for your check. Where can be problem please? I tried other computer now + Chrome. WIthout effect. Still http 1.0. Any idea for this?
OK, I have it! Bitdeffender with SSL Scan on is problem.
Nice! My congratulations 🙂
Hi,
I am trying to compile Apache 2.4.33 with OpenSSL 1.1.0h. But i keep getting this error message. I have been trying to go pass this issue for last 2 weeks. Can you please advice what i should be doing here ? Apologies if it is outside of the work published here.
libapr-1.la -luuid -lrt -lcrypt -lpthread -lm -lssl -lcrypto -luuid -lrt -lcrypt -lthread
ab.c: In function `ssl_print_cert_info’:
ab.c:649 undefined reference to `X509_get_version’
ab.c:651 undefined reference to `X509_getm_notBefore’
ab.c:655 undefined reference to `X509_getm_notAfter’
ab.c:571 undefined reference to `SSL_in_init’
ab.c:571 undefined reference to `SSL_is_server’
x509.h:97 undefined reference to `OPENSSL_sk_num’
x509.h:97 undefined reference to `OPENSSL_sk_value’
ab.c:1941 undefined reference to `SSL_in_init`
…..
…
…
collect2: ld returned 1 exit status
make[2] *** [ab] Error 1
make[2]: Leaving directory ‘/local/apache24buildx64/http-2.4.33/support’
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory ‘/local/apache24buildx64/httpd-2.4.33/support’
make: *** [install-recursive] Error 1
I love reading through and I believe this website got some genuinely utilitarian stuff on it! .