NGINX 1.25.5 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.5 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.13.

Apache httpd 2.4.59 with brotli support, TLS 1.3, OpenSSL 3.0.13 with http2, mod_http2 2.0.27 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.59-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11. Important fix: CVE-2024-27316 We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

nghttp2 1.61.0 released fixing CVE-2024-28182

nghttp2 1.61.0 rpms released and added to all platforms.

UPD. EL7 and EL8 also updated with the added patch reverting migrate-to-ares_getaddrinfo changes.

Fixes CVE-2024-28182 nghttpx: Shutdown h3 stream read with trailer as well by @tatsuhiro-t in #2087 Checkout with submodules by @jonaski in #2093 Respect BUILD_STATIC_LIBS and add option for tests by @jonaski in #2092 build(deps): bump golang.org/x/net from 0.21.0 to 0.22.0 by @dependabot in #2097 Workaround llvm issue on github ubuntu runner by @tatsuhiro-t in #2098 docker: Use copy —link by @tatsuhiro-t in #2099 Nghttpx header idle timeout by @tatsuhiro-t in #2100 nghttpx: Fix frontend-header-timeout does not work in config file by @tatsuhiro-t in #2101 Rewrite hexdump by @tatsuhiro-t in #2102 Switch to distroless/base-nossl by @tatsuhiro-t in #2103 Bump ngtcp2 by @tatsuhiro-t in #2105 nghttpx: Simplify quic connection close handling by @tatsuhiro-t in #2106 build(deps): bump github.com/quic-go/quic-go from 0.41.0 to 0.42.0 by @dependabot in #2107 autotools: Use tar-ustar automake option by @tatsuhiro-t in #2108 Automate release process by @tatsuhiro-t in #2109 autotools: Switch to tar-pax by @tatsuhiro-t in #2110 nghttpx: Drop a UDP datagram from well-known port by @tatsuhiro-t in #2111 nghttpx: Fix port byte order by @tatsuhiro-t in #2112 h2load: Allow host header to be overridden by @tatsuhiro-t in #2113 nghttpx: Rework QUIC stateless reset packet size by @tatsuhiro-t in #2114 nghttpx: More QUIC prohibited ports by @tatsuhiro-t in #2115 Add actions/stale by @tatsuhiro-t in #2116 nghttpx: Discard UDP datagram that is too short to be a valid QUIC packet by @tatsuhiro-t in #2117 nghttp: Support SSLKEYLOGFILE by @tatsuhiro-t in #2119 No rfc7540 priority fix by @tatsuhiro-t in #2120 Further reduce Stateless reset emission by @tatsuhiro-t in #2122 nghttpx: Rework Connection ID construction by @tatsuhiro-t in #2124 Nghttpx faster worker lookup by @tatsuhiro-t in #2125 nghttpx: Split thread into worker_process and thread by @tatsuhiro-t in #2126 bpf: Drop bad QUIC packet by @tatsuhiro-t in #2127 cmake: check SSL_provide_quic_data when ENABLE_HTTP3 is ON by @jimmy-park in #2128 nghttpx: Allocate 3 bits for QUIC configuration in Connection ID by @tatsuhiro-t in #2129 nghttpx: Migrate to ares_getaddrinfo by @tatsuhiro-t in #2132 Bump munit by @tatsuhiro-t in #2131 nghttpx: Fix error message by @tatsuhiro-t in #2133 nghttpd: Fix read stall by @tatsuhiro-t in #2134

ngtcp2 1.4.0 released

ngtcp2 1.4.0 rpms released and added to all supported platforms

Erase sensitive data before freeing memory by @tatsuhiro-t in #1122
Fix compile error with libstdc++6-14 by @tatsuhiro-t in #1123
Make congestion controller use the current path MTU by @tatsuhiro-t in #1124
Reduce malloc call in conn_new by @tatsuhiro-t in #1125
Add missing FindJemalloc.cmake to EXTRA_DIST by @tatsuhiro-t in #1127
Automate release process by @tatsuhiro-t in #1130
Make Path MTU Discovery probes configurable by @tatsuhiro-t in #1128
examples: Add —pmtud-probes option by @tatsuhiro-t in #1132
Accept zero length UDP datagram payload and just return 0 by @tatsuhiro-t in #1134
Deal with the case that send_quantum < max_udp_payload_size by @tatsuhiro-t in #1135
Adjust simpleclient buffer to have default max_tx_udp_payload_size by @tatsuhiro-t in #1136
Document about outgoing UDP datagram payload size by @tatsuhiro-t in #1137
Move ngtcp2_settings_default_versioned to ngtcp2_settings.c by @tatsuhiro-t in #1138
Refactor acktr by @tatsuhiro-t in #1139
Cleanup free functions called from conn_new by @tatsuhiro-t in #1140
Make functions that discard pkns callable from the other source files by @tatsuhiro-t in #1141
Add typed ngtcp2_min and ngtcp2_max functions by @tatsuhiro-t in #1142
Avoid setting 0 after memset by @tatsuhiro-t in #1143
Move ngtcp2_transport_params functions to its own file by @tatsuhiro-t in #1144
Remove unused ngtcp2_conversion_test.c by @tatsuhiro-t in #1145
Move struct version to the last argument by @tatsuhiro-t in #1146
git clone recursive by @tatsuhiro-t in #1147
Update README.rst by @Karthikdasari0423 in #1150
ngtcp2_conn_write_connection_close: Fix assertion failure by @tatsuhiro-t in #1154
Fix assertion failure because of failing dup Connection ID check by @tatsuhiro-t in #1155
fuzz: Add read_write_pkt fuzzer by @tatsuhiro-t in #1156
Workaround llvm issue by @tatsuhiro-t in #1158
fuzz: Add missing include by @tatsuhiro-t in #1159
fuzz: Workaround llvm issue by @tatsuhiro-t in #1160
Add 2 new ngtcp2_ccerr_type values by @tatsuhiro-t in #1161
Add handshake fuzzer by @tatsuhiro-t in #1162
docker: Use copy —link by @tatsuhiro-t in #1163
Bump aws-lc to v1.23.0 by @tatsuhiro-t in #1164
Bump boringssl by @tatsuhiro-t in #1165
Bump picotls by @tatsuhiro-t in #1166
Switch to distroless/base-nossl by @tatsuhiro-t in #1167
Remove debug printf by @tatsuhiro-t in #1168
Add padding to at most 1200 bytes by @tatsuhiro-t in #1169
Add ngtcp2_ppe padding tests by @tatsuhiro-t in #1170

SSH3 0.1.7 test package added

Fast and secure SSH3 (shell over HTTP/3) 0.1.7 test packages (ssh3 client and ssh3-server) added to EL8 testing repo for aarch64 and x86_64.

Please note that name change discussion is in progress (to sshh / shs / soh3 etc).

Project page: https://github.com/francoismichel/ssh3/

These packages also can be installed to EL9 and Fedora. At the build time, Golang 1.21 is a hard requirement and only 1.20 is easily available on AlmaLinux 9 at this time.

x86_64:

https://repo.codeit.guru/packages/testing/8/x86_64/ssh3-0.1.7-1.codeit.el8.x86_64.rpm

https://repo.codeit.guru/packages/testing/8/x86_64/ssh3-server-0.1.7-1.codeit.el8.x86_64.rpm

aarch64:

https://repo.codeit.guru/packages/testing/8/aarch64/ssh3-0.1.7-1.codeit.el8.aarch64.rpm

https://repo.codeit.guru/packages/testing/8/aarch64/ssh3-server-0.1.7-1.codeit.el8.aarch64.rpm

nghttp2 1.60.0 released

nghttp2 1.60.0 rpms released and added to all supported platforms

makerelease.sh: Speed up git submodule by @tatsuhiro-t in #2043
Speed up git clone by @tatsuhiro-t in #2044
build(deps): bump actions/cache from 3 to 4 by @dependabot in #2046
Fixing the build and install trees by @anthonyalayo in #2051
build(deps): bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #2052
nghttpx: Set ocsp response to SSL in case of boringssl by @tatsuhiro-t in #2055
Run with python3 by @tatsuhiro-t in #2054
src: Certificate Compression with boringssl by @tatsuhiro-t in #2056
Fix missing newline by @tatsuhiro-t in #2057
Switch to aws lc by @tatsuhiro-t in #2058
Libbrotli fixup by @tatsuhiro-t in #2059
Deprecate RFC 7540 priorities (aka stream dependencies) by @tatsuhiro-t in #2060
Let dependabot manage go modules by @tatsuhiro-t in #2061
build(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 by @dependabot in #2062
integration-tests: Omit unused parameters by @tatsuhiro-t in #2065
Munit by @tatsuhiro-t in #2064
Introduce nghttp2_ssize API by @tatsuhiro-t in #2066
Move deprecated warning upfront by @tatsuhiro-t in #2067
Describe RFC 7540 priorities deprecation plan by @tatsuhiro-t in #2068
Apps migrate nghttp2 ssize by @tatsuhiro-t in #2069
src: Remove unused functions by @tatsuhiro-t in #2070
Reconsider ssize t usage in src by @tatsuhiro-t in #2071
Use GitHub private vulnerability reporting by @tatsuhiro-t in #2072
Move security policy to GitHub standard location by @tatsuhiro-t in #2073
Bump mruby to 3.3.0 by @tatsuhiro-t in #2074
Bump llhttp to 48588093ca4219b5f689acfc9ebea9e4c8c37663 by @tatsuhiro-t in #2075
h2load: Add —sni option by @tatsuhiro-t in #2076
Bump ngtcp2 dependencies by @tatsuhiro-t in #2077
mruby: Adopt deprecation of mrbc_ prefix by @tatsuhiro-t in #2078
neverbleed: Define _GNU_SOURCE for pthread_setaffinity_np by @tatsuhiro-t in #2079
bpf: Pre-expand aes key by @tatsuhiro-t in #2080
mruby: Exclude mrdb gem which causes nghttpx to crash by @tatsuhiro-t in #2081
nghttpx: Reuse EVP_CIPHER_CTX for QUIC connection ID encryption by @tatsuhiro-t in #2082
Run apt-get update before install by @tatsuhiro-t in #2083
src: Deal with the case that send_quantum < max_udp_payload_size by @tatsuhiro-t in #2084
nghttpx: Remove SHRPX_QUIC_MAX_UDP_PAYLOAD_SIZE by @tatsuhiro-t in #2085
Fix build when AI_NUMERICSERV is undefined by @barracuda156 in #2086

NGINX 1.25.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.4 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • fixes for vulnerabilities in HTTP/3 (CVE-2024-24989, CVE-2024-24990)

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-mainline --save
yum install nginx

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.
To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline
dnf install nginx

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (—with-http_v3_module).

nghttp3 1.2.0, ngtcp2 1.3.0 released

nghttp3 1.2.0, ngtcp2 1.3.0 rpms released and added to all supported platforms

nghttp3 1.2.0:

Clarify the behavior when a stream is not found by @tatsuhiro-t in #181
Fix typo by @tatsuhiro-t in #183
cmake: restore ENABLE_STATIC_CRT and ENABLE_ASAN options by @vszakats in #184
Migrate to munit form cunit by @tatsuhiro-t in #187
Pull sfparse via git submodule by @tatsuhiro-t in #188
Update .gitignore by @tatsuhiro-t in #190
Update git submodule by @tatsuhiro-t in #189
Add nghttp3_conn_update_ack_offset by @tatsuhiro-t in #191
Add include path to munit directory by @tatsuhiro-t in #192
Bump munit by @tatsuhiro-t in #193
Shrink nghttp3_stream size by @tatsuhiro-t in #194
Fix typo by @tatsuhiro-t in #195
Bump munit by @tatsuhiro-t in #196
Bump submodules by @tatsuhiro-t in #198

ngtcp2 1.3.0:

Do not run docker-build on tag by @tatsuhiro-t in #1085
Speed up git clone by @tatsuhiro-t in #1086
Use cmake -B consistently by @tatsuhiro-t in #1087
Bump actions/cache from 3 to 4 by @dependabot in #1088
Optimize STOP_SENDING by @tatsuhiro-t in #1089
Fix retransmit frames on stream by @tatsuhiro-t in #1090
Set NGTCP2_STRM_FLAG_RESET_STREAM when RESET_STREAM is sent by @tatsuhiro-t in #1091
Add helper functions to encode/decode zero length transport parameter by @tatsuhiro-t in #1092
Verify decoding truncated frames by @tatsuhiro-t in #1093
Use typed frame type rather than ngtcp2_frame by @tatsuhiro-t in #1094
Verify decoding truncated packet headers by @tatsuhiro-t in #1095
Open a remote stream if RESET_STREAM is received by @tatsuhiro-t in #1096
nghttp3 now requires git submodule by @tatsuhiro-t in #1098
Migrate to munit from cunit by @tatsuhiro-t in #1099
Rewrite ngtcp2_cbrt by @tatsuhiro-t in #1100
Add missing munit header file to HFILES by @tatsuhiro-t in #1101
Bump munit by @tatsuhiro-t in #1102
Fix typo by @tatsuhiro-t in #1103
Bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #1104
Remove pthread from BORINGSSL_LIBS by @tatsuhiro-t in #1105
boringssl: Add certificate compression by @tatsuhiro-t in #1106
Rewrite hexdump by @tatsuhiro-t in #1107
hexdump: Add an extra whitespace after address by @tatsuhiro-t in #1108
hexdump: Fix the last address is not shown by @tatsuhiro-t in #1110
examples: Add include in GnuTLS example by @atlesn in #1111
Use assert_stdsv_equal and print title by @tatsuhiro-t in #1112
examples: Minor fixup by @tatsuhiro-t in #1113
Bump aws-lc to v1.21.0 by @tatsuhiro-t in #1115
Add security policy by @tatsuhiro-t in #1116
Bump boringssl by @tatsuhiro-t in #1117
Bump openssl by @tatsuhiro-t in #1119
examples: Fix operator precedence error by @tatsuhiro-t in #1120
Bump munit by @tatsuhiro-t in #1121