Nginx HTTP/2 module (ALPN) TLS on RHEL 7.*

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Mon Sep 28 17:39:44 UTC 2015


Like this?

nginx version: nginx/1.9.5
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.2d-fips 9 Jul 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
--group=nginx --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_v2_module
--with-http_image_filter_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_stub_status_module --with-mail --with-mail_ssl_module
--with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'

Then how to test if I am already using APLN ? :)

On 09/28/2015 10:15 PM, rikske at deds.nl wrote:
> Hi,
> 
> So what you're saying.
> 
> Nginx HTTP/2 module won't work on RHEL 7.1 with (ALPN) TLS,
> until you are using OpenSSL version 1.0.2 on RHEL 7.1 in any manner
> whatsoever?
> 
> Can anyone confirm this?
> 
> Thanks,
> 
> Regards,
> 
> Rik Ske
> 
>> Hello!
>>
>> On 09/28/2015 08:40 PM, rikske at deds.nl wrote:
>>> Dear,
>>>
>>> Does the Nginx HTTP/2 module work on RHEL 7.1 with (ALPN) TLS?
>>>
>>> It seems like the HTTP/2 module is enabled by default in your RHEL 7.1
>>> based rpm and srpm.
>>>
>>> Your Nginx website writes about:
>>>
>>> "Note that accepting HTTP/2 connections over TLS requires the
>>> “Application-Layer Protocol Negotiation” (ALPN) TLS extension support,
>>> which is available only since OpenSSL version 1.0.2. Using the “Next
>>> Protocol Negotiation” (NPN) TLS extension for this purpose
>>> (available since OpenSSL version 1.0.1) is not guaranteed. "
>>>
>>> RHEL 7.1 is using OpenSSL 1.0.1e. with a whole bunch of patches and
>>> backports.
>>>
>>> Can't find anything in the changelog of RHEL 7.1's OpenSSL about ALPN.
>>> The only thing i can find is "Support for Application Layer Protocol
>>> Negotiation (ALPN) has been added." in RHEL's GnuTLS.
>>
>> Yes, RHEL using openssl 1.0.1e-42. But, I've compiled using openssl
>> 1.0.2d + crypto-policies under centos7. And it was success deployed on
>> my sandbox
>>
>> The rpm was compiled on fedora22, and ported to el7 using mock.
>>
>> https://gitlab.com/antituhan/rpms/tree/master.
>> $ openssl version
>> OpenSSL 1.0.2d-fips 9 Jul 2015
>> $ uname -a
>> Linux <removed> 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51
>> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>>
>> Enjoy.
>>
>>
>>>
>>> Thanks,
>>>
>>> Regards,
>>>
>>> Rik Ske
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2015-09-29 00-38-35.png
Type: image/png
Size: 61911 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150929/f30ccb2d/attachment.png>


More information about the nginx mailing list