httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raphael Bauduin <rbli...@gmail.com>
Subject [users@httpd] Re: getting http2 working
Date Tue, 01 Dec 2015 12:53:59 GMT
On Tue, Dec 1, 2015 at 11:30 AM, Raphael Bauduin <rblists@gmail.com> wrote:

> Hi,
>
> I am upgrading an existing server to apache 2.4.17 to enable http2. It is
> running on Linux (with an older apache and openssl version installed), and
> I'm installing the new versions from source:
> This is what I have installed from source:
> http-2.4.17
> nghttp2-1.3.4
> openssl-1.0.2d
> php-5.6.15
>

The problem was due to the order in which I compiled and installed the
components.
Following a suggestion posted in the list recently, I got it working by
compiling in this order:
apr, openssl ,apr-util then finally httpd. (Did I miss it or is this not
mentioned in the doc?)

I also set the LD_LIBRARY_PATH accordingly at each step, also using the
flags --with-ssl, with-apr and --with-apr-util when available.
In more defails, the configure step of each element:

apr: ./configure --prefix=/usr/local/stow/apr
openssl: ./config --prefix=/usr/local/stow/openssl-1.0.2d shared
apt-utiil: ./configure --prefix=/usr/local/stow/apr-util
--with-openssl=/usr/local/stow/openssl-1.0.2d/
--with-apr=/usr/local/bin/apr-1-config
httpd: ./configure --prefix=/usr/local/stow/http-2.4.17/ --enable-http2
--enable-ssl --with-ssl=/usr/local/stow/openssl-1.0.2d/
--with-apr=/usr/local/stow/apr/bin/apr-1-config
--with-apr-util=/usr/local/stow/apr-util/bin/apu-1-config

$ echo $LD_LIBRARY_PATH
/usr/local/stow/http-2.4.17/lib/:/usr/local/stow/openssl-1.0.2d/lib/


In the hope this might be useful to someone

Rb



> The http2 module is working without ssl (validated with nghttp2-1.3.4 ).
> However, I can't get it to work with ssl because I don't have ALPN working:
>
> openssl s_client  -connect 10.12.12.2:443 -servername myserver
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2105 bytes and written 497 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.1
>     Cipher    : ECDHE-RSA-AES256-SHA
>     Session-ID: 98D3B15A.......
>     Session-ID-ctx:
>     Master-Key: 4EE8E88525B2........
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 53 45 80 dc 4f f9 36 8b-8e 5f 0d 6e 6c 53 4b 1c
> SE..O.6.._.nlSK.
>     ......
>     00c0 - cb b6 54 86 13 c5 33 e8-96 88 51 13 08 ec b2 61
> ..T...3...Q....a
>
>     Start Time: 1448965228
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
>
> From the php info page, I have:
> _SERVER["SSL_VERSION_INTERFACE"] mod_ssl/2.4.17
> _SERVER["SSL_VERSION_LIBRARY"] OpenSSL/1.0.2d
>  so it seems to be using the correct openssl libs.
>
> In the ssl vhost, I have:
>         Protocols h2 http/1.1
>         SSLProtocol all -SSLv2 -SSLv3 -TLSv1.2
>         SSLHonorCipherOrder on
>         SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4
>
> In the logs, I have:
>
> [ssl:info] [pid 6991:tid 2664164208] [client 10.12.12.1:57098] AH01964:
> Connection to child 85 established (server my_server:443)
> [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1933): [client
> 10.12.12.1:57098] AH02043: SSL virtual host for servername my_server found
> [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1860): [client
> 10.12.12.1:57098] AH02041: Protocol: TLSv1.1, Cipher:
> ECDHE-RSA-AES256-SHA (256/256 bits)
> [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(245): [client
> 10.12.12.1:57098] AH02034: Initial (No.1) HTTPS request received for
> child 85 (server my_server:443)
>
> Did anyone see and solve this problem before?
>
> Thanks
>
> Rb
>



-- 
Web database: http://www.myowndb.com
Free Software Developers Meeting: http://www.fosdem.org

Mime
View raw message