Thanks, Steve -- this is almost certainly the simplest answer since trafficserver is in EPEL so the EPEL dependency won't be an issue.
I'll push a build to epel-testing later today. If there are any other RHEL/CentOS 7 users out there on the list, please let me know as 3 up votes will let us skip the 7 day wait to stable. --Jered ----- On Oct 3, 2023, at 11:48 AM, Steve Malenfant smalenf...@gmail.com wrote: > FYI - I recompiled ATS 8.1.x with OpenSSL 1.1 (EPEL) and that worked for > us. (Centos 7) > > On Tue, Oct 3, 2023 at 6:33 AM Jered Floyd <je...@convivian.com> wrote: > >> >> Chrome 117 has just rolled out denial of SHA1 signature algorithms (for >> header signing -- not ciphers which have already been removed) and now >> Chome on any platform is unable to connect to trafficserver 9.2.2 on RHEL >> 7. I'm the Fedora/RHEL package maintainer so this is my problem, but before >> I dig into the OpenSSL usage I figured I'd poll for OpenSSL experts first. >> :-) >> >> Details on the Chrome change: >> [ https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 >> | https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 >> ] >> >> The underlying problem seems to be that RHEL 7 has OpenSSL 1.0.2k+patches, >> which does not support TLS v1.3, so we are using TLS v1.2. Then for some >> reason I haven't yet determined, Traffic Server is only presenting a SHA-1 >> option for header signing -- possibly due to the signature_algorithm >> extension not being configured. Apache httpd still works with the same >> OpenSSL and Chrome 117, so obviously there's some possible workaround in >> how OpenSSL gets used. >> >> Obviously the preferable answer is "use a modern OpenSSL" but that's not >> really possible on CentOS 7 / RHEL 7. Is anyone familiar enough with >> OpenSSL to point my in the right direction? Otherwise I'll dig in... >> >> Thanks, >> --Jered
