FYI - There is a workaround (toggle) to re-enable but not really useful. https://chromestatus.com/feature/4832850040324096
And also found the Chrome roadmap: https://chromestatus.com/roadmap Steve On Wed, Oct 4, 2023 at 6:37 AM Jered Floyd <je...@convivian.com> wrote: > > Thanks, Steve -- this is almost certainly the simplest answer since > trafficserver is in EPEL so the EPEL dependency won't be an issue. > > I'll push a build to epel-testing later today. If there are any other > RHEL/CentOS 7 users out there on the list, please let me know as 3 up votes > will let us skip the 7 day wait to stable. > > --Jered > > > ----- On Oct 3, 2023, at 11:48 AM, Steve Malenfant smalenf...@gmail.com > wrote: > > > FYI - I recompiled ATS 8.1.x with OpenSSL 1.1 (EPEL) and that worked for > > us. (Centos 7) > > > > On Tue, Oct 3, 2023 at 6:33 AM Jered Floyd <je...@convivian.com> wrote: > > > >> > >> Chrome 117 has just rolled out denial of SHA1 signature algorithms (for > >> header signing -- not ciphers which have already been removed) and now > >> Chome on any platform is unable to connect to trafficserver 9.2.2 on > RHEL > >> 7. I'm the Fedora/RHEL package maintainer so this is my problem, but > before > >> I dig into the OpenSSL usage I figured I'd poll for OpenSSL experts > first. > >> :-) > >> > >> Details on the Chrome change: > >> [ > https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 > >> | > https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 > >> ] > >> > >> The underlying problem seems to be that RHEL 7 has OpenSSL > 1.0.2k+patches, > >> which does not support TLS v1.3, so we are using TLS v1.2. Then for some > >> reason I haven't yet determined, Traffic Server is only presenting a > SHA-1 > >> option for header signing -- possibly due to the signature_algorithm > >> extension not being configured. Apache httpd still works with the same > >> OpenSSL and Chrome 117, so obviously there's some possible workaround in > >> how OpenSSL gets used. > >> > >> Obviously the preferable answer is "use a modern OpenSSL" but that's not > >> really possible on CentOS 7 / RHEL 7. Is anyone familiar enough with > >> OpenSSL to point my in the right direction? Otherwise I'll dig in... > >> > >> Thanks, > >> --Jered >
