RHEL & CentOS 7.4 restores HTTP/2 functionality on Nginx

Image of Mattias Geniar

Mattias Geniar, August 01, 2017

Follow me on Twitter as @mattiasgeniar

Red Hat Enterprise Linux 7.4 has just been released, and with it, a much-awaited (at least by me) update to OpenSSL, bringing it to version 1.0.2k.

openssl rebased to version 1.0.2k

The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:

– Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.

– Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.

Added support for the Application-Layer Protocol Negotiation (ALPN).

– Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.

Note that this version is compatible with the API and ABI in the OpenSSL library version in previous releases of Red Hat Enterprise Linux 7.

Security updates in RHEL 7.4

That bold text? That’s the good part: added support for the Application-Layer Protocol Negotiation (ALPN).

You might remember that more than a year ago, Chrome disabled support for NPN and only allowed ALPN. As a direct result, HTTP/2 became impossible on RHEL or CentOS systems, because it didn’t support ALPN. You could run Nginx in a Docker container to get a more up-to-date OpenSSL version, but for many, that’s too hard or too much effort.

Now with this RHEL 7.4 update – and the CentOS 7.4 release that’ll be out in a few days – you no longer need Docker and you can enable HTTP/2 in Nginx again for both Firefox & Chrome users.

server {
  listen        443 ssl http2;
  server_name   your.fqdn.tld;
  ...

I’m very happy with this update as it – finally – brings a more recent OpenSSL version to RHEL & CentOS, removing the need for hacks/workarounds just for the sake of HTTP/2.

If you’re a CentOS user, wait a couple of days for the packages to be built and update to CentOS 7.4. If your a RHEL user: go forth and upgrade to 7.4!

Update #1: requires Nginx package update, too

See update #2 below: packages are now available.

The good news: CentOS 7.4 is out and with it an updated OpenSSL package!

The ‘bad’ news: Nginx is compiled against OpenSSL 1.0.1, both from the Nginx RPMs as well as EPEL. So even if you update OpenSSL, it’ll still point to an older OpenSSL release.

$ nginx -V
nginx version: nginx/1.13.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
...

Built with OpenSSL 1.0.1e.

Now we wait for an update from EPEL and the Nginx repo to compile Nginx against the latest OpenSSL release. Until then, HTTP/2 is still broken for ALPN in Chrome.

Update #2: updated Nginx packages are available

Good news! The nginx mainline repository has new packages built against the latest openssl. Update now to get all the HTTP/2 joy. ;-)

$ yum update nginx
...
===============================================================================
 Package          Arch      Version                   Repository         Size
===============================================================================
Updating:
 nginx            x86_64    1:1.13.6-1.el7_4.ngx      nginx-mainline    723 k
Updating for dependencies:
 openssl          x86_64    1:1.0.2k-8.el7            base              492 k
 openssl-devel    x86_64    1:1.0.2k-8.el7            base              1.5 M
 openssl-libs     x86_64    1:1.0.2k-8.el7            base              1.2 M

Transaction Summary
===============================================================================
Upgrade  1 Package (+3 Dependent packages)

Go HTTP/2!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.