Bug 1478662 - rebuild for ALPN support
Summary: rebuild for ALPN support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: nginx
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jamie Nguyen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-05 18:51 UTC by Carl George
Modified: 2017-10-11 15:44 UTC (History)
14 users (show)

Fixed In Version: nginx-1.10.2-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-04 22:18:19 UTC


Attachments (Terms of Use)

Description Carl George 2017-08-05 18:51:14 UTC
Description of problem:
RHEL 7.4 includes OpenSSL to 1.0.2, which brings support for ALPN.  Nginx can't take advantage of this for HTTP2 until it's rebuilt against the new OpenSSL.

Version-Release number of selected component (if applicable):
nginx-1.10.2-1.el7

How reproducible:
Install nginx from EPEL on RHEL 7.4.

Steps to Reproduce:
1. Enable SSL per nginx documentation.
2. Enable http2 per nginx documentation.
3. curl -sIL --http2 -v https://<HOSTNAME> | grep ALPN

Actual results:
> * ALPN, server did not agree to a protocol

Expected results:
> * ALPN, server accepted to use h2

Additional info:
The current nginx RPMS in EPEL have this requirement:
> libcrypto.so.10(OPENSSL_1.0.1)(64bit)
> libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit)

After rebuilding the nginx source RPM on RHEL 7.4, the resulting RPMS have this requirement:
> libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit)
> libcrypto.so.10(OPENSSL_1.0.2)(64bit)

Comment 1 Carl George 2017-08-05 18:53:38 UTC
It would probably be best to not fix this until CentOS 7.4 has been released, because the resulting RPMS are uninstallable on CentOS 7.3.

Comment 2 Tomas Curilla 2017-08-28 07:47:36 UTC
CentOS 7.3 currently contains openssl v1.0.2k (see http://mirror.centos.org/centos-7/7.3.1611/cr/x86_64/Packages/openssl-1.0.2k-8.el7.x86_64.rpm)

I think that you can build nginx with openssl v1.0.2k.

Comment 3 Carl George 2017-08-28 18:52:21 UTC
That's in the CR repo, which isn't enabled by default.  Waiting for CentOS 7.4 proper would be best.

Comment 4 Tomas Curilla 2017-09-14 05:24:24 UTC
CentOS 7.4 has been released

Comment 5 Arjon Bujupi 2017-09-16 19:31:18 UTC
Any update on this? CentOS7.4 has been released and many production systems are looking forward to HTTP2.

Comment 6 Luboš Uhliarik ✈ 2017-09-18 08:22:26 UTC
I will rebuild it ASAP.

Comment 7 Fedora Update System 2017-09-18 09:27:23 UTC
nginx-1.10.2-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9365559cfc

Comment 8 Arjon Bujupi 2017-09-18 09:43:41 UTC
How much time does it usually take to publish it on the stable repository?

Comment 9 Luboš Uhliarik ✈ 2017-09-18 09:53:50 UTC
It needs to get +3 karma in Bodhi. Feel free to test it.

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9365559cfc

Comment 10 Arjon Bujupi 2017-09-18 12:07:04 UTC
Working fine for me. Not sure if I understand karma in Bodhi.

Comment 11 Carl George 2017-09-18 13:29:46 UTC
FYI, anonymous karma in bodhi doesn't count, you have to log in with a Fedora account first.

Comment 12 Fedora Update System 2017-09-19 17:19:52 UTC
nginx-1.10.2-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-9365559cfc

Comment 13 Tomas Curilla 2017-10-04 08:36:03 UTC
Is possible to go live?

Comment 14 Luboš Uhliarik ✈ 2017-10-04 09:08:23 UTC
Pushed to stable.

Comment 15 Fedora Update System 2017-10-04 22:18:19 UTC
nginx-1.10.2-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Maros Mitucha 2017-10-11 08:52:54 UTC
Hello,

I want to inform that this change caused problem installing epel7 `nginx` on rhel7.3.

Problem is nginx (nginx-1.10.2-2.el7.x86_64 (epel)) dependency on `libcrypto.so.10` which provides `openssl-libs-1.0.2`, not existent in rhel7.3 repos.

We run epel7 repo mirror keeping older versions, so we were able to work around this by forcing yum to install 'nginx-1.10.2.1' version.
But people who rely on upstream epel7 may experience dependency problems.

Attaching some output:

    [root@maros7-frontend ~]# yum install nginx
    Resolving Dependencies
    --> Running transaction check
    ---> Package nginx.x86_64 1:1.10.2-2.el7 will be installed
    --> Processing Dependency: nginx-filesystem = 1:1.10.2-2.el7 for package: 1:nginx-1.10.2-2.el7.x86_64
    --> Processing Dependency: nginx-all-modules = 1:1.10.2-2.el7 for package: 1:nginx-1.10.2-2.el7.x86_64
    --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.10.2-2.el7.x86_64
    --> Running transaction check
    ---> Package nginx.x86_64 1:1.10.2-2.el7 will be installed
    --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.10.2-2.el7.x86_64
    ---> Package nginx-all-modules.noarch 1:1.10.2-2.el7 will be installed
    --> Processing Dependency: nginx-mod-stream = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch
    --> Processing Dependency: nginx-mod-mail = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch
    --> Processing Dependency: nginx-mod-http-xslt-filter = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch
    --> Processing Dependency: nginx-mod-http-perl = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch
    --> Processing Dependency: nginx-mod-http-image-filter = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch
    --> Processing Dependency: nginx-mod-http-geoip = 1:1.10.2-2.el7 for package: 1:nginx-all-modules-1.10.2-2.el7.noarch
    ---> Package nginx-filesystem.noarch 1:1.10.2-1.el7 will be updated
    ---> Package nginx-filesystem.noarch 1:1.10.2-2.el7 will be an update
    --> Running transaction check
    ---> Package nginx.x86_64 1:1.10.2-2.el7 will be installed
    --> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.10.2-2.el7.x86_64
    ---> Package nginx-mod-http-geoip.x86_64 1:1.10.2-2.el7 will be installed
    ---> Package nginx-mod-http-image-filter.x86_64 1:1.10.2-2.el7 will be installed
    ---> Package nginx-mod-http-perl.x86_64 1:1.10.2-2.el7 will be installed
    ---> Package nginx-mod-http-xslt-filter.x86_64 1:1.10.2-2.el7 will be installed
    ---> Package nginx-mod-mail.x86_64 1:1.10.2-2.el7 will be installed
    ---> Package nginx-mod-stream.x86_64 1:1.10.2-2.el7 will be installed
    --> Finished Dependency Resolution
    Error: Package: 1:nginx-1.10.2-2.el7.x86_64 (epel)
               Requires: libcrypto.so.10(OPENSSL_1.0.2)(64bit)
     You could try using --skip-broken to work around the problem
     You could try running: rpm -Va --nofiles --nodigest
---

    [root@maros7-frontend ~]# yum whatprovides */libcrypto.so.10
    1:openssl-libs-1.0.1e-60.el7_3.1.i686 : A general purpose cryptography library with TLS implementation
    Repo        : rhel_ref
    Matched from:
    Filename    : /usr/lib/libcrypto.so.10
    
    1:openssl-libs-1.0.1e-60.el7_3.1.x86_64 : A general purpose cryptography library with TLS implementation
    Repo        : rhel_ref
    Matched from:
    Filename    : /usr/lib64/libcrypto.so.10
    
    1:openssl-libs-1.0.1e-60.el7_3.1.x86_64 : A general purpose cryptography library with TLS implementation
    Repo        : @rhel_ref
    Matched from:
    Filename    : /usr/lib64/libcrypto.so.10
---

    # Because of our mirror keeping older versions
    [root@maros7-frontend ~]# yum --showduplicates list nginx | expand
    Available Packages
    nginx.x86_64                         1:1.10.2-1.el7                         epel
    nginx.x86_64                         1:1.10.2-2.el7                         epel

Thank you, 
Maros

Comment 17 Carl George 2017-10-11 13:10:34 UTC
Maros, obviously rebuilding nginx to link against openssl 1.0.2 in 7.4 results in packages that are uninstallable without openssl 1.0.2 available.  EPEL only builds against base RHEL.  If you don't want to update to RHEL 7.4, then you need to rebuild the nginx source RPM yourself on a 7.3 system.

Comment 18 Maros Mitucha 2017-10-11 15:44:15 UTC
Sorry, I did not know EPEL keeps compatibility with latest release, thank you for the clarification.
So no problem, in that case we will build custom package.


Note You need to log in before you can comment on or make changes to this bug.