Is it possible to enable TLSv1.3 currently

[mobeigi]

Howdy,

I wanted to enable TLSv1.3 for my server. Does this require the ius httpd24u to be rebuilt with a newer version of openssl? Is the openssl not dynamically linked?

Thank you.

OpenSSL 1.1.1c FIPS  28 May 2019
built on: Wed May 13 11:27:10 2020 UTC
platform: linux-x86_64
options:  bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\""
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines:  dynamic

[root@atom ~]# yum list installed | grep httpd24u
httpd24u.x86_64                     2.4.41-1.el7.ius                 @ius
httpd24u-devel.x86_64               2.4.41-1.el7.ius                 @ius
httpd24u-filesystem.noarch          2.4.41-1.el7.ius                 @ius
httpd24u-mod_ssl.x86_64             1:2.4.41-1.el7.ius               @ius
httpd24u-tools.x86_64               2.4.41-1.el7.ius                 @ius

[SteveSimpson]

@mobeigi - short answer: No

Longer answer, they link against the system version of OpenSSL, so TLS 1.2 is as high as you get. I would also love to see IUS build OpenSSL 1.1.1 (& 3 when available) to support better/future algorithms. Then they could link httpd against that.

[carlwgeorge]

IUS isn't interested in maintaining openssl packages (see this issue for details).

However, it appears that someone else backported RHEL8's openssl 1.1.1c to EPEL7 as openssl11. I'd be happy to review and merge a pull request that implements building httpd24u against openssl11-devel.

[SteveSimpson]

@carlwgeorge - I might give this a shot.

[SteveSimpson]

Just a heads up. I am going to try the EPEL OpenSSL 1.1.1c after I get the 2.4.46 build done. It should be simply installing the OpenSSL package, pointing the configure script to use it and rebuilding the httpd rpm ... "should".

[SteveSimpson]

Status update: I have a pull request in for the initial upgrade to 2.4.46-1, once we get that in I will add the commit for OpenSSL 1.1. (hopefully 2.4.46-2). I have this running on a test system now!

[SteveSimpson]

Since CentOS 6 is no longer an issue and we aren't support CentOS 8 (yet/ever?), this should be relatively easy as I had the compile for CentOS 7 working before.

[ejarman]

I was able to get it to build against openssl11 by removing openssl-devel, installing openssl11-devel, and updating the exported CPPFLAGS and LDFLAGS above the 'configure' line in the .spec file:

export LDFLAGS="-Wl,-z,relro,-z,now -L%{_libdir}/openssl11"
export CPPFLAGS="-I%{_includedir}/openssl11"

There has to be a cleaner way to exclude the base system openssl headers/libs from the build, though.

[carlwgeorge]

The IUS project has reached it's end of life, and will not be addressing any more issues or pull requests.

ius.io/faq#why-doesnt-ius-have-packages-for-rhel-8

iusrepo/announce#41