Re: getting http2 working (Apache Users)

On Tue, Dec 1, 2015 at 11:30 AM, Raphael Bauduin <rblists@xxxxxxxxx> wrote:

Hi,

I am upgrading an existing server to apache 2.4.17 to enable http2. It is running on Linux (with an older apache and openssl version installed), and I'm installing the new versions from source:
This is what I have installed from source:
http-2.4.17
nghttp2-1.3.4
openssl-1.0.2d
php-5.6.15

The problem was due to the order in which I compiled and installed the components.

Following a suggestion posted in the list recently, I got it working by compiling in this order:

apr, openssl ,apr-util then finally httpd. (Did I miss it or is this not mentioned in the doc?)

I also set the LD_LIBRARY_PATH accordingly at each step, also using the flags --with-ssl, with-apr and --with-apr-util when available.

In more defails, the configure step of each element:

apr: ./configure --prefix=/usr/local/stow/apr

openssl: ./config --prefix=/usr/local/stow/openssl-1.0.2d shared

apt-utiil: ./configure --prefix=/usr/local/stow/apr-util --with-openssl=/usr/local/stow/openssl-1.0.2d/ --with-apr=/usr/local/bin/apr-1-config

httpd: ./configure --prefix=/usr/local/stow/http-2.4.17/ --enable-http2 --enable-ssl --with-ssl=/usr/local/stow/openssl-1.0.2d/ --with-apr=/usr/local/stow/apr/bin/apr-1-config --with-apr-util=/usr/local/stow/apr-util/bin/apu-1-config

$ echo $LD_LIBRARY_PATH

/usr/local/stow/http-2.4.17/lib/:/usr/local/stow/openssl-1.0.2d/lib/

In the hope this might be useful to someone

The http2 module is working without ssl (validated with nghttp2-1.3.4 ).
However, I can't get it to work with ssl because I don't have ALPN working:

openssl s_client -connect 10.12.12.2:443 -servername myserver
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2105 bytes and written 497 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 98D3B15A.......
Session-ID-ctx:
Master-Key: 4EE8E88525B2........
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 53 45 80 dc 4f f9 36 8b-8e 5f 0d 6e 6c 53 4b 1c SE..O.6.._.nlSK.
......
00c0 - cb b6 54 86 13 c5 33 e8-96 88 51 13 08 ec b2 61 ..T...3...Q....a

Start Time: 1448965228
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

From the php info page, I have:
_SERVER["SSL_VERSION_INTERFACE"] mod_ssl/2.4.17
_SERVER["SSL_VERSION_LIBRARY"] OpenSSL/1.0.2d
so it seems to be using the correct openssl libs.

In the ssl vhost, I have:
Protocols h2 http/1.1
SSLProtocol all -SSLv2 -SSLv3 -TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4

In the logs, I have:

[ssl:info] [pid 6991:tid 2664164208] [client 10.12.12.1:57098] AH01964: Connection to child 85 established (server my_server:443)
[ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1933): [client 10.12.12.1:57098] AH02043: SSL virtual host for servername my_server found
[ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1860): [client 10.12.12.1:57098] AH02041: Protocol: TLSv1.1, Cipher: ECDHE-RSA-AES256-SHA (256/256 bits)
[ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(245): [client 10.12.12.1:57098] AH02034: Initial (No.1) HTTPS request received for child 85 (server my_server:443)

Did anyone see and solve this problem before?

Thanks

Rb

Web database: http://www.myowndb.com
Free Software Developers Meeting: http://www.fosdem.org