Description of problem: RHEL 7.4 includes OpenSSL to 1.0.2, which brings support for ALPN. Nginx can't take advantage of this for HTTP2 until it's rebuilt against the new OpenSSL. Version-Release number of selected component (if applicable): nginx-1.10.2-1.el7 How reproducible: Install nginx from EPEL on RHEL 7.4. Steps to Reproduce: 1. Enable SSL per nginx documentation. 2. Enable http2 per nginx documentation. 3. curl -sIL --http2 -v https://<HOSTNAME> | grep ALPN Actual results: > * ALPN, server did not agree to a protocol Expected results: > * ALPN, server accepted to use h2 Additional info: The current nginx RPMS in EPEL have this requirement: > libcrypto.so.10(OPENSSL_1.0.1)(64bit) > libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) After rebuilding the nginx source RPM on RHEL 7.4, the resulting RPMS have this requirement: > libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) > libcrypto.so.10(OPENSSL_1.0.2)(64bit)
It would probably be best to not fix this until CentOS 7.4 has been released, because the resulting RPMS are uninstallable on CentOS 7.3.
CentOS 7.3 currently contains openssl v1.0.2k (see http://mirror.centos.org/centos-7/7.3.1611/cr/x86_64/Packages/openssl-1.0.2k-8.el7.x86_64.rpm) I think that you can build nginx with openssl v1.0.2k.
That's in the CR repo, which isn't enabled by default. Waiting for CentOS 7.4 proper would be best.
CentOS 7.4 has been released
Any update on this? CentOS7.4 has been released and many production systems are looking forward to HTTP2.
I will rebuild it ASAP.
nginx-1.10.2-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9365559cfc
How much time does it usually take to publish it on the stable repository?
It needs to get +3 karma in Bodhi. Feel free to test it. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9365559cfc
Working fine for me. Not sure if I understand karma in Bodhi.
FYI, anonymous karma in bodhi doesn't count, you have to log in with a Fedora account first.
nginx-1.10.2-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9365559cfc
Is possible to go live?
Pushed to stable.
nginx-1.10.2-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Hello, I want to inform that this change caused problem installing epel7 `nginx` on rhel7.3. Problem is nginx (nginx-1.10.2-2.el7.x86_64 (epel)) dependency on `libcrypto.so.10` which provides `openssl-libs-1.0.2`, not existent in rhel7.3 repos. We run epel7 repo mirror keeping older versions, so we were able to work around this by forcing yum to install 'nginx-1.10.2.1' version. But people who rely on upstream epel7 may experience dependency problems. Attaching some output: [root@maros7-frontend ~]# yum install nginx Resolving Dependencies --> Running transaction check ---> Package nginx.x86_64 1:1.10.2-2.el7 will be installed --> Processing Dependency: nginx-filesystem = 1:1.10.2-2.el7 for package: 1:nginx-1.10.2-2.el7.x86_64 --> Processing Dependency: nginx-all-modules = 1:1.10.2-2.el7 for package: 1:nginx-1.10.2-2.el7.x86_64 --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.10.2-2.el7.x86_64 --> Running transaction check ---> Package nginx.x86_64 1:1.10.2-2.el7 will be installed --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.10.2-2.el7.x86_64 ---> Package nginx-all-modules.noarch 1:1.10.2-2.el7 will be installed --> Processing Dependency: nginx-mod-stream = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch --> Processing Dependency: nginx-mod-mail = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch --> Processing Dependency: nginx-mod-http-xslt-filter = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch --> Processing Dependency: nginx-mod-http-perl = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch --> Processing Dependency: nginx-mod-http-image-filter = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch --> Processing Dependency: nginx-mod-http-geoip = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch ---> Package nginx-filesystem.noarch 1:1.10.2-1.el7 will be updated ---> Package nginx-filesystem.noarch 1:1.10.2-2.el7 will be an update --> Running transaction check ---> Package nginx.x86_64 1:1.10.2-2.el7 will be installed --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.10.2-2.el7.x86_64 ---> Package nginx-mod-http-geoip.x86_64 1:1.10.2-2.el7 will be installed ---> Package nginx-mod-http-image-filter.x86_64 1:1.10.2-2.el7 will be installed ---> Package nginx-mod-http-perl.x86_64 1:1.10.2-2.el7 will be installed ---> Package nginx-mod-http-xslt-filter.x86_64 1:1.10.2-2.el7 will be installed ---> Package nginx-mod-mail.x86_64 1:1.10.2-2.el7 will be installed ---> Package nginx-mod-stream.x86_64 1:1.10.2-2.el7 will be installed --> Finished Dependency Resolution Error: Package: 1:nginx-1.10.2-2.el7.x86_64 (epel) Requires: libcrypto.so.10(OPENSSL_1.0.2)(64bit) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest --- [root@maros7-frontend ~]# yum whatprovides */libcrypto.so.10 1:openssl-libs-1.0.1e-60.el7_3.1.i686 : A general purpose cryptography library with TLS implementation Repo : rhel_ref Matched from: Filename : /usr/lib/libcrypto.so.10 1:openssl-libs-1.0.1e-60.el7_3.1.x86_64 : A general purpose cryptography library with TLS implementation Repo : rhel_ref Matched from: Filename : /usr/lib64/libcrypto.so.10 1:openssl-libs-1.0.1e-60.el7_3.1.x86_64 : A general purpose cryptography library with TLS implementation Repo : @rhel_ref Matched from: Filename : /usr/lib64/libcrypto.so.10 --- # Because of our mirror keeping older versions [root@maros7-frontend ~]# yum --showduplicates list nginx | expand Available Packages nginx.x86_64 1:1.10.2-1.el7 epel nginx.x86_64 1:1.10.2-2.el7 epel Thank you, Maros
Maros, obviously rebuilding nginx to link against openssl 1.0.2 in 7.4 results in packages that are uninstallable without openssl 1.0.2 available. EPEL only builds against base RHEL. If you don't want to update to RHEL 7.4, then you need to rebuild the nginx source RPM yourself on a 7.3 system.
Sorry, I did not know EPEL keeps compatibility with latest release, thank you for the clarification. So no problem, in that case we will build custom package.