RHEL & CentOS 7.4 restores HTTP/2 functionality on Nginx

Mattias Geniar, Tuesday, August 1, 2017 - last modified: Wednesday, October 11, 2017

Red Hat Enterprise Linux 7.4 has just been released, and with it, a much-awaited (at least by me) update to OpenSSL, bringing it to version 1.0.2k.

openssl rebased to version 1.0.2k

The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:

-- Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
-- Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
-- Added support for the Application-Layer Protocol Negotiation (ALPN).
-- Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.

Note that this version is compatible with the API and ABI in the OpenSSL library version in previous releases of Red Hat Enterprise Linux 7.
Security updates in RHEL 7.4

That bold text? That's the good part: added support for the Application-Layer Protocol Negotiation (ALPN).

You might remember that more than a year ago, Chrome disabled support for NPN and only allowed ALPN. As a direct result, HTTP/2 became impossible on RHEL or CentOS systems, because it didn't support ALPN. You could run Nginx in a Docker container to get a more up-to-date OpenSSL version, but for many, that's too hard or too much effort.

Now with this RHEL 7.4 update -- and the CentOS 7.4 release that'll be out in a few days -- you no longer need Docker and you can enable HTTP/2 in Nginx again for both Firefox & Chrome users.

server {
  listen        443 ssl http2;
  server_name   your.fqdn.tld;
  ...

I'm very happy with this update as it -- finally -- brings a more recent OpenSSL version to RHEL & CentOS, removing the need for hacks/workarounds just for the sake of HTTP/2.

If you're a CentOS user, wait a couple of days for the packages to be built and update to CentOS 7.4. If your a RHEL user: go forth and upgrade to 7.4!

Update #1: requires Nginx package update, too

See update #2 below: packages are now available.

The good news: CentOS 7.4 is out and with it an updated OpenSSL package!

The 'bad' news: Nginx is compiled against OpenSSL 1.0.1, both from the Nginx RPMs as well as EPEL. So even if you update OpenSSL, it'll still point to an older OpenSSL release.

$ nginx -V
nginx version: nginx/1.13.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
...

Built with OpenSSL 1.0.1e.

Now we wait for an update from EPEL and the Nginx repo to compile Nginx against the latest OpenSSL release. Until then, HTTP/2 is still broken for ALPN in Chrome.

Update #2: updated Nginx packages are available

Good news! The nginx mainline repository has new packages built against the latest openssl. Update now to get all the HTTP/2 joy. ;-)

$ yum update nginx
...
===============================================================================
 Package          Arch      Version                   Repository         Size
===============================================================================
Updating:
 nginx            x86_64    1:1.13.6-1.el7_4.ngx      nginx-mainline    723 k
Updating for dependencies:
 openssl          x86_64    1:1.0.2k-8.el7            base              492 k
 openssl-devel    x86_64    1:1.0.2k-8.el7            base              1.5 M
 openssl-libs     x86_64    1:1.0.2k-8.el7            base              1.2 M

Transaction Summary
===============================================================================
Upgrade  1 Package (+3 Dependent packages)

Go HTTP/2!

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Erorus Tuesday, August 1, 2017 at 23:21 - Reply

“As a direct result, HTTP/2 became impossible on RHEL or CentOS systems, because it didn’t support ALPN. You could run Nginx in a Docker container to get a more up-to-date OpenSSL version, but for many, that’s too hard or too much effort.”

I still don’t know why you ignore this simple procedure:
1) download latest nginx source
2) download appropriate latest openssl source
3) run nginx’s configure, pointing at openssl source you just downloaded
4) make && make install

Far from “impossible.” If you want to add/remove specific nginx modules (e.g. brotli) you’ll want to get familiar with this pattern anyway.

$ nginx -V
nginx version: nginx/1.12.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.2k 26 Jan 2017
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-http_ssl_module –with-http_gunzip_module –with-http_gzip_static_module –with-threads –with-file-aio –with-http_v2_module –with-http_stub_status_module –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic’ –with-openssl=../openssl-1.0.2k –add-module=../ngx_brotli

    svennd Thursday, August 3, 2017 at 09:57 - Reply

    And you redo that procedure for every update and patch released ? Most people like to use repo’s and focus on other tasks.

    I’m very happy with this, as it looked like we where going to have to wait for http/2 until rhel 8 at some point.

John C. Wednesday, August 2, 2017 at 10:10 - Reply

RHEL are deliberately weakening crypto to help our their NSA buddies. This is not the first time they’ve done something very suspect like this.

PaulB Thursday, September 14, 2017 at 11:42 - Reply

Unfortunately, this is incorrect, You still have to compile nginx from source for HTTP2 or get it from a third party repo. The nginx version in epel is compiled against openssl 1.0.1.e

[root@c7-jump-box /etc]# nginx -V
nginx version: nginx/1.10.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013

Despite openssl 1.02 being installed

[root@c7-jump-box /etc]# rpm -q openssl
openssl-1.0.2k-8.el7.x86_64

Before we get HTTP2 support back we need to wait for epel to offer an nginx version compiled against 1.02. The same applies to RH Software collections.

Chris Hills Friday, September 15, 2017 at 08:34 - Reply

I have been using the brouken repo for nginx with http/2 in centos up to now. It has openssl statically linked in for alpn. I will probably switch back to the stock package now.

Keddy Saturday, September 16, 2017 at 01:20 - Reply

Just updated to 7.4 and yea…. EPEL did not update nginx with OpenSSL 1.0.2. So no HTTP2 for you…

Mike Sunday, September 17, 2017 at 17:21 - Reply

Q: “RedHat released yesterday (September 14) CentOS 7.4, which includes version 1.0.2 of OpenSSL.
Now all it takes is the Nginx RPM to be compiled with the latest version of OpenSSL to work with ALPN.”

A: “Next nginx release will have a rpm built specifically for CentOS/RHEL 7.4, but hopefully we’ll also provide current stable and mainline a bit sooner.”

https://forum.nginx.org/read.php?2,276398,276399

Leave a Reply

Your email address will not be published. Required fields are marked *