You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Raphael Bauduin <rb...@gmail.com> on 2015/12/01 13:53:59 UTC
[users@httpd] Re: getting http2 working
On Tue, Dec 1, 2015 at 11:30 AM, Raphael Bauduin <rb...@gmail.com> wrote:
> Hi,
>
> I am upgrading an existing server to apache 2.4.17 to enable http2. It is
> running on Linux (with an older apache and openssl version installed), and
> I'm installing the new versions from source:
> This is what I have installed from source:
> http-2.4.17
> nghttp2-1.3.4
> openssl-1.0.2d
> php-5.6.15
>
The problem was due to the order in which I compiled and installed the
components.
Following a suggestion posted in the list recently, I got it working by
compiling in this order:
apr, openssl ,apr-util then finally httpd. (Did I miss it or is this not
mentioned in the doc?)
I also set the LD_LIBRARY_PATH accordingly at each step, also using the
flags --with-ssl, with-apr and --with-apr-util when available.
In more defails, the configure step of each element:
apr: ./configure --prefix=/usr/local/stow/apr
openssl: ./config --prefix=/usr/local/stow/openssl-1.0.2d shared
apt-utiil: ./configure --prefix=/usr/local/stow/apr-util
--with-openssl=/usr/local/stow/openssl-1.0.2d/
--with-apr=/usr/local/bin/apr-1-config
httpd: ./configure --prefix=/usr/local/stow/http-2.4.17/ --enable-http2
--enable-ssl --with-ssl=/usr/local/stow/openssl-1.0.2d/
--with-apr=/usr/local/stow/apr/bin/apr-1-config
--with-apr-util=/usr/local/stow/apr-util/bin/apu-1-config
$ echo $LD_LIBRARY_PATH
/usr/local/stow/http-2.4.17/lib/:/usr/local/stow/openssl-1.0.2d/lib/
In the hope this might be useful to someone
Rb
> The http2 module is working without ssl (validated with nghttp2-1.3.4 ).
> However, I can't get it to work with ssl because I don't have ALPN working:
>
> openssl s_client -connect 10.12.12.2:443 -servername myserver
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2105 bytes and written 497 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.1
> Cipher : ECDHE-RSA-AES256-SHA
> Session-ID: 98D3B15A.......
> Session-ID-ctx:
> Master-Key: 4EE8E88525B2........
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - 53 45 80 dc 4f f9 36 8b-8e 5f 0d 6e 6c 53 4b 1c
> SE..O.6.._.nlSK.
> ......
> 00c0 - cb b6 54 86 13 c5 33 e8-96 88 51 13 08 ec b2 61
> ..T...3...Q....a
>
> Start Time: 1448965228
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
>
> From the php info page, I have:
> _SERVER["SSL_VERSION_INTERFACE"] mod_ssl/2.4.17
> _SERVER["SSL_VERSION_LIBRARY"] OpenSSL/1.0.2d
> so it seems to be using the correct openssl libs.
>
> In the ssl vhost, I have:
> Protocols h2 http/1.1
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1.2
> SSLHonorCipherOrder on
> SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4
>
> In the logs, I have:
>
> [ssl:info] [pid 6991:tid 2664164208] [client 10.12.12.1:57098] AH01964:
> Connection to child 85 established (server my_server:443)
> [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1933): [client
> 10.12.12.1:57098] AH02043: SSL virtual host for servername my_server found
> [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(1860): [client
> 10.12.12.1:57098] AH02041: Protocol: TLSv1.1, Cipher:
> ECDHE-RSA-AES256-SHA (256/256 bits)
> [ssl:debug] [pid 6991:tid 2664164208] ssl_engine_kernel.c(245): [client
> 10.12.12.1:57098] AH02034: Initial (No.1) HTTPS request received for
> child 85 (server my_server:443)
>
> Did anyone see and solve this problem before?
>
> Thanks
>
> Rb
>
--
Web database: http://www.myowndb.com
Free Software Developers Meeting: http://www.fosdem.org