FYI - I recompiled ATS 8.1.x with OpenSSL 1.1 (EPEL) and that worked for us. (Centos 7)
On Tue, Oct 3, 2023 at 6:33 AM Jered Floyd <je...@convivian.com> wrote: > > Chrome 117 has just rolled out denial of SHA1 signature algorithms (for > header signing -- not ciphers which have already been removed) and now > Chome on any platform is unable to connect to trafficserver 9.2.2 on RHEL > 7. I'm the Fedora/RHEL package maintainer so this is my problem, but before > I dig into the OpenSSL usage I figured I'd poll for OpenSSL experts first. > :-) > > Details on the Chrome change: > [ https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 > | https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 > ] > > The underlying problem seems to be that RHEL 7 has OpenSSL 1.0.2k+patches, > which does not support TLS v1.3, so we are using TLS v1.2. Then for some > reason I haven't yet determined, Traffic Server is only presenting a SHA-1 > option for header signing -- possibly due to the signature_algorithm > extension not being configured. Apache httpd still works with the same > OpenSSL and Chrome 117, so obviously there's some possible workaround in > how OpenSSL gets used. > > Obviously the preferable answer is "use a modern OpenSSL" but that's not > really possible on CentOS 7 / RHEL 7. Is anyone familiar enough with > OpenSSL to point my in the right direction? Otherwise I'll dig in... > > Thanks, > --Jered >
