Red Hat Enterprise Linux 7.4 has just been released, and with it, a much-awaited (at least by me) update to OpenSSL, bringing it to version 1.0.2k.
openssl rebased to version 1.0.2k
The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:
– Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
– Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
– Added support for the Application-Layer Protocol Negotiation (ALPN).
– Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
Note that this version is compatible with the API and ABI in the OpenSSL library version in previous releases of Red Hat Enterprise Linux 7.
That bold text? That’s the good part: added support for the Application-Layer Protocol Negotiation (ALPN).
You might remember that more than a year ago, Chrome disabled support for NPN and only allowed ALPN. As a direct result, HTTP/2 became impossible on RHEL or CentOS systems, because it didn’t support ALPN. You could run Nginx in a Docker container to get a more up-to-date OpenSSL version, but for many, that’s too hard or too much effort.
Now with this RHEL 7.4 update – and the CentOS 7.4 release that’ll be out in a few days – you no longer need Docker and you can enable HTTP/2 in Nginx again for both Firefox & Chrome users.
server {
listen 443 ssl http2;
server_name your.fqdn.tld;
...
I’m very happy with this update as it – finally – brings a more recent OpenSSL version to RHEL & CentOS, removing the need for hacks/workarounds just for the sake of HTTP/2.
If you’re a CentOS user, wait a couple of days for the packages to be built and update to CentOS 7.4. If your a RHEL user: go forth and upgrade to 7.4!
Update #1: requires Nginx package update, too
See update #2 below: packages are now available.
The good news: CentOS 7.4 is out and with it an updated OpenSSL package!
The ‘bad’ news: Nginx is compiled against OpenSSL 1.0.1, both from the Nginx RPMs as well as EPEL. So even if you update OpenSSL, it’ll still point to an older OpenSSL release.
$ nginx -V nginx version: nginx/1.13.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 ...
Built with OpenSSL 1.0.1e.
Now we wait for an update from EPEL and the Nginx repo to compile Nginx against the latest OpenSSL release. Until then, HTTP/2 is still broken for ALPN in Chrome.
Update #2: updated Nginx packages are available
Good news! The nginx mainline repository has new packages built against the latest openssl. Update now to get all the HTTP/2 joy. ;-)
$ yum update nginx ... =============================================================================== Package Arch Version Repository Size =============================================================================== Updating: nginx x86_64 1:1.13.6-1.el7_4.ngx nginx-mainline 723 k Updating for dependencies: openssl x86_64 1:1.0.2k-8.el7 base 492 k openssl-devel x86_64 1:1.0.2k-8.el7 base 1.5 M openssl-libs x86_64 1:1.0.2k-8.el7 base 1.2 M Transaction Summary =============================================================================== Upgrade 1 Package (+3 Dependent packages)
Go HTTP/2!