This update is in progress. The RPMs are linked here, and if you have a Fedora Project account you can upvote to get this into stable faster: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-a08f6a3e19
--Jered ----- On Oct 4, 2023, at 11:36 AM, Jered Floyd je...@convivian.com wrote: > Thanks, Steve -- this is almost certainly the simplest answer since > trafficserver is in EPEL so the EPEL dependency won't be an issue. > > I'll push a build to epel-testing later today. If there are any other > RHEL/CentOS 7 users out there on the list, please let me know as 3 up votes > will let us skip the 7 day wait to stable. > > --Jered > > > ----- On Oct 3, 2023, at 11:48 AM, Steve Malenfant smalenf...@gmail.com wrote: > >> FYI - I recompiled ATS 8.1.x with OpenSSL 1.1 (EPEL) and that worked for >> us. (Centos 7) >> >> On Tue, Oct 3, 2023 at 6:33 AM Jered Floyd <je...@convivian.com> wrote: >> >>> >>> Chrome 117 has just rolled out denial of SHA1 signature algorithms (for >>> header signing -- not ciphers which have already been removed) and now >>> Chome on any platform is unable to connect to trafficserver 9.2.2 on RHEL >>> 7. I'm the Fedora/RHEL package maintainer so this is my problem, but before >>> I dig into the OpenSSL usage I figured I'd poll for OpenSSL experts first. >>> :-) >>> >>> Details on the Chrome change: >>> [ https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 >>> | https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 >>> ] >>> >>> The underlying problem seems to be that RHEL 7 has OpenSSL 1.0.2k+patches, >>> which does not support TLS v1.3, so we are using TLS v1.2. Then for some >>> reason I haven't yet determined, Traffic Server is only presenting a SHA-1 >>> option for header signing -- possibly due to the signature_algorithm >>> extension not being configured. Apache httpd still works with the same >>> OpenSSL and Chrome 117, so obviously there's some possible workaround in >>> how OpenSSL gets used. >>> >>> Obviously the preferable answer is "use a modern OpenSSL" but that's not >>> really possible on CentOS 7 / RHEL 7. Is anyone familiar enough with >>> OpenSSL to point my in the right direction? Otherwise I'll dig in... >>> >>> Thanks, > >> --Jered
