NGINX 1.25.4 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.13, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.4 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • fixes for vulnerabilities in HTTP/3 (CVE-2024-24989, CVE-2024-24990)

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-mainline --save
yum install nginx

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.
To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline
dnf install nginx

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (—with-http_v3_module).

nghttp3 1.2.0, ngtcp2 1.3.0 released

nghttp3 1.2.0, ngtcp2 1.3.0 rpms released and added to all supported platforms

nghttp3 1.2.0:

Clarify the behavior when a stream is not found by @tatsuhiro-t in #181
Fix typo by @tatsuhiro-t in #183
cmake: restore ENABLE_STATIC_CRT and ENABLE_ASAN options by @vszakats in #184
Migrate to munit form cunit by @tatsuhiro-t in #187
Pull sfparse via git submodule by @tatsuhiro-t in #188
Update .gitignore by @tatsuhiro-t in #190
Update git submodule by @tatsuhiro-t in #189
Add nghttp3_conn_update_ack_offset by @tatsuhiro-t in #191
Add include path to munit directory by @tatsuhiro-t in #192
Bump munit by @tatsuhiro-t in #193
Shrink nghttp3_stream size by @tatsuhiro-t in #194
Fix typo by @tatsuhiro-t in #195
Bump munit by @tatsuhiro-t in #196
Bump submodules by @tatsuhiro-t in #198

ngtcp2 1.3.0:

Do not run docker-build on tag by @tatsuhiro-t in #1085
Speed up git clone by @tatsuhiro-t in #1086
Use cmake -B consistently by @tatsuhiro-t in #1087
Bump actions/cache from 3 to 4 by @dependabot in #1088
Optimize STOP_SENDING by @tatsuhiro-t in #1089
Fix retransmit frames on stream by @tatsuhiro-t in #1090
Set NGTCP2_STRM_FLAG_RESET_STREAM when RESET_STREAM is sent by @tatsuhiro-t in #1091
Add helper functions to encode/decode zero length transport parameter by @tatsuhiro-t in #1092
Verify decoding truncated frames by @tatsuhiro-t in #1093
Use typed frame type rather than ngtcp2_frame by @tatsuhiro-t in #1094
Verify decoding truncated packet headers by @tatsuhiro-t in #1095
Open a remote stream if RESET_STREAM is received by @tatsuhiro-t in #1096
nghttp3 now requires git submodule by @tatsuhiro-t in #1098
Migrate to munit from cunit by @tatsuhiro-t in #1099
Rewrite ngtcp2_cbrt by @tatsuhiro-t in #1100
Add missing munit header file to HFILES by @tatsuhiro-t in #1101
Bump munit by @tatsuhiro-t in #1102
Fix typo by @tatsuhiro-t in #1103
Bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #1104
Remove pthread from BORINGSSL_LIBS by @tatsuhiro-t in #1105
boringssl: Add certificate compression by @tatsuhiro-t in #1106
Rewrite hexdump by @tatsuhiro-t in #1107
hexdump: Add an extra whitespace after address by @tatsuhiro-t in #1108
hexdump: Fix the last address is not shown by @tatsuhiro-t in #1110
examples: Add include in GnuTLS example by @atlesn in #1111
Use assert_stdsv_equal and print title by @tatsuhiro-t in #1112
examples: Minor fixup by @tatsuhiro-t in #1113
Bump aws-lc to v1.21.0 by @tatsuhiro-t in #1115
Add security policy by @tatsuhiro-t in #1116
Bump boringssl by @tatsuhiro-t in #1117
Bump openssl by @tatsuhiro-t in #1119
examples: Fix operator precedence error by @tatsuhiro-t in #1120
Bump munit by @tatsuhiro-t in #1121

mc 4.8.31 released

mc 4.8.31 rpms released and added to all supported platforms

Core

  • Minimal version of GLib is 2.32.0.

VFS

  • fish: drop support of native FISH server and protocol. Rename VFS to shell
  • extfs;
    • uc1541 extfs: update up to 3.6 version
    • s3+: port to Python3
  • Support for LZO/LZOP compression format

Misc

  • Skins: add color for non-printable characters in editor

Fixes

  • FTBFS on FreeBSD with ext2fs attribute support 
  • Broken stickchars (-a) mode 
  • Wrong timestamp after resuming of file copy operation 
  • Editor: wrong deletion of marked column
  • Diff viewer: segfault when display of line numbers is enabled
  • Tar VFS: broken handling of hard links
  • Sftp VFS: failure establishing SSH session due hashed host names in ~/.ssh/known_hosts 
  • Shell VFS: incorrect file names with cyrillic or diacritic symbols
  • mc.ext.ini: incorrect description of of how multiple sections and keys with same names are processed
  • mc.ext.ini: unescaped backslash \ is treated as invalid escape sequence in glib-2.77.3 and glib-2.79 
  • mc.ext.ini: file «Makefile.zip» is handled as Makefile not as zip-arhive

ngtcp2 1.2.0, nghttp2 1.59.0 released

ngtcp2 1.2.0, nghttp2 1.59.0 rpms released and added to all supported platforms

ngtcp2 1.2.0:
cmake: Require nghttp3 >= v1.0.0 by @tatsuhiro-t in #1026
examples: Clarify stream limits by @tatsuhiro-t in #1032
Bump actions/stale from 8 to 9 by @dependabot in #1033
Avoid detecting OpenSSL 3.2 as quictls by @tatsuhiro-t in #1035
Clarify the behavior when a stream is not found by @tatsuhiro-t in #1036
Do not recognize boringssl as quictls by @tatsuhiro-t in #1038
Bump github/codeql-action from 2 to 3 by @dependabot in #1037
docker: Switch to bsslclient and bsslserver by @tatsuhiro-t in #1039
interop: Switch to wolfssl by @tatsuhiro-t in #1040
Revert «docker: Switch to bsslclient and bsslserver» by @tatsuhiro-t in #1041
docker: Switch to wolfssl by @tatsuhiro-t in #1042
Use wolfSSL in a README example by @tatsuhiro-t in #1043
Add aws-lc as BoringSSL alternative by @tatsuhiro-t in #1044
wolfSSL: Disable deprecated signature algorithms by @tatsuhiro-t in #1046
Remove use of SSL_set_quic_transport_version by @tatsuhiro-t in #1047
examples: Build with libressl by @tatsuhiro-t in #1048
Fix zero len file by @tatsuhiro-t in #1049
Assert that _BitScanReverse64 never fail by @tatsuhiro-t in #1051
Revert «wolfSSL: Disable deprecated signature algorithms» by @tatsuhiro-t in #1052
wolfssl: Enable —enable-keylog-export by @tatsuhiro-t in #1053
h09client: Fix display ecn bits by @tatsuhiro-t in #1054
Bump wolfSSL to v5.6.6-stable by @tatsuhiro-t in #1055
ngtcp2_pkt_adjust_pkt_num: Take bytes rather than bits by @tatsuhiro-t in #1056
Initial and Handshake packets are immediately acknowledged by @tatsuhiro-t in #1057
Refactor by @tatsuhiro-t in #1058
examples: Print remote HTTP/3 settings by @tatsuhiro-t in #1059
Fix assertion failure on immediate migration by @tatsuhiro-t in #1060
Add ngtcp2_window_filter tests by @tatsuhiro-t in #1061
Fix gcc-13 warning by @tatsuhiro-t in #1062
Fix persistent congestion by @tatsuhiro-t in #1064
Port missing changes to h09server by @tatsuhiro-t in #1065
Fix typo by @tatsuhiro-t in #1066
Update docker by @tatsuhiro-t in #1067
Fix docker build-arg by @tatsuhiro-t in #1069
Revert «Send RESET_STREAM if stream is reset by client» by @tatsuhiro-t in #1071
Return early when STOP_SENDING is received more than once by @tatsuhiro-t in #1072
Do not send STOP_SENDING if RESET_STREAM has been received by @tatsuhiro-t in #1073
Update doc by @tatsuhiro-t in #1074
wolfssl: Just use QUIC v1 transport parameter codepoint by @tatsuhiro-t in #1075
wolfssl: Disable ECH by @tatsuhiro-t in #1076
Bump boringssl by @tatsuhiro-t in #1077
Bump picotls by @tatsuhiro-t in #1078
Remove sample_offset field from ngtcp2_ppe by @tatsuhiro-t in #1079
ci: Build and verify aws-lc flavored builds by @tatsuhiro-t in #1080
Update boringssl build procedure by @tatsuhiro-t in #1081
Bump aws-lc to v1.20.0 by @tatsuhiro-t in #1082
Update doc by @tatsuhiro-t in #1083

nghttp2 1.59.0:
Bump clang to 15 by @tatsuhiro-t in #1986
Bump clang format by @tatsuhiro-t in #1987
Bump quictls to 3.1.4+quic by @tatsuhiro-t in #1988
Update ax_cxx_compile_stdcxx.m4 by @tatsuhiro-t in #1989
nghttpx: Prefer FILE_NAME if defined by @tatsuhiro-t in #1990
Add API to get and parse RFC 9218 priority by @tatsuhiro-t in #1991
nghttpx: Propagate stream priority from backend to frontend by @tatsuhiro-t in #1992
Check whether CLOCK_MONOTONIC is declared by @tatsuhiro-t in #1995
Bump go packages by @tatsuhiro-t in #2001
cmake: Remove itprep target by @tatsuhiro-t in #2002
h2load: Fix IPv6 address in :authority by @tatsuhiro-t in #2000
Bump ngtcp2 and nghttp3 by @tatsuhiro-t in #2006
Bump libbpf to v1.3.0 by @tatsuhiro-t in #2007
Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0 by @tatsuhiro-t in #2008
cmake: Set minimum quic package versions by @tatsuhiro-t in #2009
Use #include <windows.h> instead of #include <sysinfoapi.h> by @hrxi in #1997
build(deps): bump actions/setup-go from 4 to 5 by @dependabot in #2010
cmake: bring back ENABLE_STATIC_CRT by @bwncp in #2011
Avoid detecting OpenSSL 3.2 as quictls by @tatsuhiro-t in #2012
build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #2015
build(deps): bump actions/upload-artifact from 3 to 4 by @dependabot in #2014
src: Support building with aws-lc by @tatsuhiro-t in #2013
boringssl has SSL_CTX_set1_groups_list by @tatsuhiro-t in #2016
Drop old OpenSSL support by @tatsuhiro-t in #2017
Drop old OpenSSL support part 2 by @tatsuhiro-t in #2019
Remove NPN by @tatsuhiro-t in #2020
Remove end_to_end.py by @tatsuhiro-t in #2021
cmake: Require OpenSSL >= 1.1.1 by @tatsuhiro-t in #2022
nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data by @tatsuhiro-t in #2023
App fix by @tatsuhiro-t in #2024
nghttpx: Remove a trailing whitespace by @tatsuhiro-t in #2025
H2load header ttfb fix by @tatsuhiro-t in #2026
Not finding packages when ENABLE_LIB_ONLY is set by @anthonyalayo in #2027
Have less stuff in config.h by @hrxi in #1996
Update minimum CMake version to 3.5 by @anthonyalayo in #2030
build(deps): bump github.com/quic-go/quic-go from 0.35.1 to 0.37.7 by @dependabot in #2032
Fix typo by @tatsuhiro-t in #2033
Specify DEBIAN_FRONTEND=noninteractive by @tatsuhiro-t in #2034
Revert «nghttpx: Shutdown h3 stream write if reset by a remote endpoint» by @tatsuhiro-t in #2036
ci: Add aws-lc builds by @tatsuhiro-t in #2037
Bump go modules by @tatsuhiro-t in #2038
Bump neverbleed by @tatsuhiro-t in #2039
Bump go-nghttp2 and go mod tidy by @tatsuhiro-t in #2040
Bump ngtcp2 to v1.2.0 by @tatsuhiro-t in #2041
src: Avoid copies by @tatsuhiro-t in #2042

NGINX 1.25.3 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.12, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.3 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • Changes and fixes in HTTP/2
  • Changes and fixes in HTTP/3

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --disable CodeIT-quic --save
yum-config-manager --enable CodeIT-mainline --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (—with-http_v3_module).

Apache httpd 2.4.58 with brotli support, TLS 1.3, OpenSSL 3.0.11 with http2, mod_http2 2.0.24 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.58-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.

We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

NGINX 1.25.2 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.10, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.2 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.10.

Major changes:

  • Feature: the «http2» directive, which enables HTTP/2 on a per-server basis; the «http2» parameter of the «listen» directive is now deprecated.
  • Change: HTTP/2 server push support has been removed.
  • Change: the deprecated «ssl» directive is not supported anymore.
  • Bugfix: in HTTP/3 when using OpenSSL.

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --disable CodeIT-quic --save
yum-config-manager --enable CodeIT-mainline --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (—with-http_v3_module).