Ssl – How to build Apache httpd 2.4.20 on CentOS 7 with http2 support

apache-2.4http2httpdhttpsssl

I've spent nearly a day trying to make Apache httpd builds with ALPN and http2 support for EL6 and EL7 for my company and society, as I previously did for NGINX (Built statically against OpenSSL 1.0.2h).

First, I tried to rebuild src rpms with OpenSSL 1.0.2h taken from Fedora and install resulted rpms (openssl-devel-1.0.2h-1.el7.centos.x86_64.rpm, openssl-1.0.2h-1.el7.centos.x86_64.rpm) to replace system's one. Yes, I know, this is not right way for public builds, but I need to know if will work at all.

Then I've rebuilt nghttp2-1.7.1-1.fc24.src.rpm and installed resulted libnghttp2-devel-1.7.1-1.el7.centos.x86_64.rpm and libnghttp2-1.7.1-1.el7.centos.x86_64.rpm.

Finally, after removing some patches and hacking apr and apr-util I've succeeded to build httpd-2.4.18-1.fc23.src.rpm into httpd-2.4.18-1.el7.centos.x86_64.rpm.

Plain HTTP/1.1 worked for me ok, and ALPN support was also present, but HTTP/2 did not work:

$ curl -v --insecure --http2 --tlsv1.2 https://192.168.1.148
* Rebuilt URL to: https://192.168.1.148/
*   Trying 192.168.1.148...
* Connected to 192.168.1.148 (192.168.1.148) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* ALPN, server accepted to use h2
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: E=root@centos7.dcodeit.net,CN=centos7.dcodeit.net,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
*       start date: май 25 13:11:19 2016 GMT
*       expire date: май 25 13:11:19 2017 GMT
*       common name: centos7.dcodeit.net
*       issuer: E=root@centos7.dcodeit.net,CN=centos7.dcodeit.net,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ccf55b44c0)
> GET / HTTP/1.1
> Host: 192.168.1.148
> User-Agent: curl/7.43.0
> Accept: */*
>
* http2_recv: 16384 bytes buffer at 0x55ccf55b4e08 (stream 1)
* http2_recv: 16384 bytes buffer at 0x55ccf55b4e08 (stream 1)
* Unexpected EOF
* Closing connection 0
curl: (56) Unexpected EOF

I thought that there can be problems with some of Fedora's patches and tried to rebuild some other parts without any luck.
Finally, I removed all "devel" rpms, downloaded latest stable httpd-2.4.20, put apr and apr-util unmodified latest sources to its srclib directory and tried to build with:

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic"; export CFLAGS
LDFLAGS="-Wl,-z,relro,-z,now"; export LDFLAGS
"./configure" \
"--prefix=/etc/httpd" \
"--exec-prefix=/usr" \
"--bindir=/usr/bin" \
"--sbindir=/usr/sbin" \
"--mandir=/usr/share/man" \
"--libdir=/usr/lib64" \
"--sysconfdir=/etc/httpd/conf" \
"--includedir=/usr/include/httpd" \
"--libexecdir=/usr/lib64/httpd/modules" \
"--datadir=/usr/share/httpd" \
"--enable-layout=Fedora" \
"--with-installbuilddir=/usr/lib64/httpd/build" \
"--enable-mpms-shared=all" \
"--enable-suexec" \
"--with-included-apr" \
"--with-suexec" \
"--enable-suexec-capabilities" \
"--with-suexec-caller=apache" \
"--with-suexec-docroot=/var/www" \
"--without-suexec-logfile" \
"--with-suexec-syslog" \
"--with-suexec-bin=/usr/sbin/suexec" \
"--with-suexec-uidmin=1000" \
"--with-suexec-gidmin=1000" \
"--enable-pie" \
"--with-pcre" \
"--enable-mods-shared=all" \
"--enable-ssl" \
"--with-ssl=/root/openssl-1.0.2h" \
"--enable-ssl-staticlib-deps" \
"--with-nghttp2=/root/nghttp2-1.11.0" \
"--enable-nghttp2-staticlib-deps" \
"LDFLAGS=-Wl,-z,relro,-z,now" \
"CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic"

As you can see, I'm trying to build mod_ssl and mod_http2 statically with latest libraries versions, but http2 still does not work with exactly same error message: server drops connection without any reply. There is no data can be found in logs: requests are not shown in logs at all, while http/1.1, http/1.1 over SSL and h2c requests are properly logged and handled.

My configuration file is now nearly stock one (from unmodified httpd-2.4.20), but with enabled mod_ssl, mod_http2 and "Protocols h2 http/1.1".

One more strange thing: I tried to add "LogLevel http2:info" to debug http2, but I'm unable to see any initialization lines like "[http2:info] [pid XXXXX:tid numbers] mod_http2 (v1.0.0, nghttp2 1.3.4), initializing…". However, I believe http2 module is on, as there is no config error for this log level. Also I checked it with h2c (http2 over plain http) and it perfectly works with curl and "101 Switching protocols" reply.

So, I tried to build it statically, dynamically, with different lib versions, finally I used clean, unmodified sources for nghttp2, openssl, apr, apr-util, configuration files without any luck, however HTTP/2 and ALPN work normally separately.

Please advise.

Best Answer

I notice you are using this cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

However that cipher is black listed for HTTP/2: https://www.rfc-editor.org/rfc/rfc7540

And by default mod_http2 will not allow you to negotiate with blacklisted ciphers: https://httpd.apache.org/docs/2.4/mod/mod_http2.html#h2moderntlsonly

So I wonder if that is the only problem and you just need to enable more modern cipher suites? Specifically a ECDHE with GCM rather than CBC suite like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25. You could always turn above flag off for your curl test but Chrome similarly uses this blacklist so you'll need to enable other ciphers anyway (and why wouldn't you want to since you've gone through the hassle of upgrading your openssl for this).

If that's not the issue then you could check out the step by step instructions I give here on how to build from source: https://www.tunetheweb.com/performance/http2/. I use Centos 7 and these steps work for me.

`prefork`

mpm_prefork is.. well.. it's compatible with everything. It spins off a number of child processes for serving requests, and the child processes only serve one request at a time. Because it's got the server process sitting there, ready for action, and not needing to deal with thread marshaling, it's actually faster than the more modern threaded MPMs when you're only dealing with a single request at a time - but concurrent requests suffer, since they're made to wait in line until a server process is free. Additionally, attempting to scale up in the count of prefork child processes, you'll easily suck down some serious RAM.

It's probably not advisable to use prefork unless you need a module that's not thread safe.

Use if: You need modules that break when threads are used, like mod_php. Even then, consider using FastCGI and php-fpm.

Don't use if: Your modules won't break in threading.

`worker`

mpm_worker uses threading - which is a big help for concurrency. Worker spins off some child processes, which in turn spin off child threads; similar to prefork, some spare threads are kept ready if possible, to service incoming connections. This approach is much kinder on RAM, since the thread count doesn't have a direct bearing on memory use like the server count does in prefork. It also handles concurrency much more easily, since the connections just need to wait for a free thread (which is usually available) instead of a spare server in prefork.

Use if: You're on Apache 2.2, or 2.4 and you're running primarily SSL.

Don't use if: You really can't go wrong, unless you need prefork for compatibility.

However, note that the treads are attached to connections and not requests - which means that a keep-alive connection always keeps a hold of a thread until it's closed (which can be a long time, depending on your configuration). Which is why we have..

`event`

mpm_event is very similar to worker, structurally; it's just been moved from 'experimental' to 'stable' status in Apache 2.4. The big difference is that it uses a dedicated thread to deal with the kept-alive connections, and hands requests down to child threads only when a request has actually been made (allowing those threads to free back up immediately after the request is completed). This is great for concurrency of clients that aren't necessarily all active at a time, but make occasional requests, and when the clients might have a long keep-alive timeout.

The exception here is with SSL connections; in that case, it behaves identically to worker (gluing a given connection to a given thread until the connection closes).

Use if: You're on Apache 2.4 and like threads, but you don't like having threads waiting for idle connections. Everyone likes threads!

Don't use if: You're not on Apache 2.4, or you need prefork for compatibility.

In today's world of slowloris, AJAX, and browsers that like to multiplex 6 TCP connections (with keep-alive, of course) to your server, concurrency is an important factor in making your server scale and scale well. Apache's history has tied it down in this regard, and while it's really still not up to par with the likes of nginx or lighttpd in terms of resource usage or scale, it's clear that the development team is working toward building a web server that's still relevant in today's high-request-concurrency world.

Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)

From the article you linked, there are three recommended steps to protect yourself against this vulnerability. In principle these steps apply to any software you may use with SSL/TLS but here we will deal with the specific steps to apply them to Apache (httpd) since that is the software in question.

Disable Export Cipher Suites

Dealt with in the configuration changes we'll make in 2. below (!EXPORT near the end of the SSLCipherSuite line is how we'll disable export cipher suites)

Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)

For this, you need to edit a few settings in your Apache config files - namely SSLProtocol, SSLCipherSuite, SSLHonorCipherOrder to have a "best-practices" setup. Something like the following will suffice:

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on

Note: as for which SSLCipherSuite setting to use, this is always changing, and it is a good idea to consult resources such as this one to check for the latest recommended configuration.

3. Generate a Strong, Unique Diffie Hellman Group

To do so, you can run

openssl dhparam -out dhparams.pem 2048.

Note that this will put significant load on the server whilst the params are generated - you can always get around this potential issue by generating the params on another machine and using scp or similar to transfer them onto the server in question for use.

To use these newly-generated dhparams in Apache, from the Apache Documentation:

To generate custom DH parameters, use the openssl dhparam command. Alternatively, you can append the following standard 1024-bit DH parameters from RFC 2409, section 6.2 to the respective SSLCertificateFile file:

(emphasis mine)

which is then followed by a standard 1024-bit DH parameter. From this we can infer that the custom-generated DH parameters may simply be appended to the relevant SSLCertificateFile in question.

To do so, run something similar to the following:

cat /path/to/custom/dhparam >> /path/to/sslcertfile

Alternatively, as per the Apache subsection of the article you originally linked, you may also specify the custom dhparams file you have created if you prefer not to alter the certificate file itself, thusly:

SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"

in whichever Apache config(s) are relevant to your particular SSL/TLS implementation - generally in conf.d/ssl.confor conf.d/vhosts.conf but this will differ depending on how you have configured Apache.

It is worth noting that, as per this link,

Before Apache 2.4.7, the DH parameter is always set to 1024 bits and is not user configurable. This has been fixed in mod_ssl 2.4.7 that Red Hat has backported into their RHEL 6 Apache 2.2 distribution with httpd-2.2.15-32.el6

On Debian Wheezy upgrade apache2 to 2.2.22-13+deb7u4 or later and openssl to 1.0.1e-2+deb7u17. The above SSLCipherSuite does not work perfectly, instead use the following as per this blog:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

You should check whether your Apache version is later than these version numbers depending on your distribution, and if not - update it if at all possible.

Once you have performed the above steps to update your configuration, and restarted the Apache service to apply the changes, you should check that the configuration is as-desired by running the tests on SSLLabs and on the article related to this particular vulnerability.

Best Answer

Related Solutions

apache – Selecting the Right MPM

prefork

worker

event

Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)

Related Topic

`prefork`

`worker`

`event`