On Tue, Dec 1, 2015 at 11:30 AM, Raphael Bauduin <rbli...@gmail.com> wrote:
> Hi, > > I am upgrading an existing server to apache 2.4.17 to enable http2. It is > running on Linux (with an older apache and openssl version installed), and > I'm installing the new versions from source: > This is what I have installed from source: > http-2.4.17 > nghttp2-1.3.4 > openssl-1.0.2d > php-5.6.15 > The problem was due to the order in which I compiled and installed the components. Following a suggestion posted in the list recently, I got it working by compiling in this order: apr, openssl ,apr-util then finally httpd. (Did I miss it or is this not mentioned in the doc?) I also set the LD_LIBRARY_PATH accordingly at each step, also using the flags --with-ssl, with-apr and --with-apr-util when available. In more defails, the configure step of each element: apr: ./configure --prefix=/usr/local/stow/apr openssl: ./config --prefix=/usr/local/stow/openssl-1.0.2d shared apt-utiil: ./configure --prefix=/usr/local/stow/apr-util --with-openssl=/usr/local/stow/openssl-1.0.2d/ --with-apr=/usr/local/bin/apr-1-config httpd: ./configure --prefix=/usr/local/stow/http-2.4.17/ --enable-http2 --enable-ssl --with-ssl=/usr/local/stow/openssl-1.0.2d/ --with-apr=/usr/local/stow/apr/bin/apr-1-config --with-apr-util=/usr/local/stow/apr-util/bin/apu-1-config $ echo $LD_LIBRARY_PATH /usr/local/stow/http-2.4.17/lib/:/usr/local/stow/openssl-1.0.2d/lib/ In the hope this might be useful to someone Rb > The http2 module is working without ssl (validated with nghttp2-1.3.4 ). > However, I can't get it to work with ssl because I don't have ALPN working: > > openssl s_client -connect 10.12.12.2:443 -servername myserver > --- > No client certificate CA names sent > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 2105 bytes and written 497 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.1 > Cipher : ECDHE-RSA-AES256-SHA > Session-ID: 98D3B15A....... > Session-ID-ctx: > Master-Key: 4EE8E88525B2........ > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 300 (seconds) > TLS session ticket: > 0000 - 53 45 80 dc 4f f9 36 8b-8e 5f 0d 6e 6c 53 4b 1c > SE..O.6.._.nlSK. > ...... > 00c0 - cb b6 54 86 13 c5 33 e8-96 88 51 13 08 ec b2 61 > ..T...3...Q....a > > Start Time: 1448965228 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > > From the php info page, I have: > _SERVER["SSL_VERSION_INTERFACE"] mod_ssl/2.4.17 > _SERVER["SSL_VERSION_LIBRARY"] OpenSSL/1.0.2d > so it seems to be using the correct openssl libs. > > In the ssl vhost, I have: > Protocols h2 http/1.1 > SSLProtocol all -SSLv2 -SSLv3 -TLSv1.2 > SSLHonorCipherOrder on > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4 > > In the logs, I have: > > [ssl:info] [pid 6991:tid 2664164208] [client 10.12.12.1:57098] AH01964: > Connection to child 85 established (server my_server:443) > [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1933): [client > 10.12.12.1:57098] AH02043: SSL virtual host for servername my_server found > [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1860): [client > 10.12.12.1:57098] AH02041: Protocol: TLSv1.1, Cipher: > ECDHE-RSA-AES256-SHA (256/256 bits) > [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(245): [client > 10.12.12.1:57098] AH02034: Initial (No.1) HTTPS request received for > child 85 (server my_server:443) > > Did anyone see and solve this problem before? > > Thanks > > Rb > -- Web database: http://www.myowndb.com Free Software Developers Meeting: http://www.fosdem.org
