ALPN
Step 1. Manually update your openssl
# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
# yum install pcre-devel -y
# cd /usr/local/src/
# wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
# tar -zxf openssl-1.0.2-latest.tar.gz
# cd openssl-1.0.2k/
# ./config
# make depend
# make
# make test
# make install
# mv /usr/bin/openssl /usr/bin/openssl_1.0.1e
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# openssl version
OpenSSL 1.0.2k 26 Jan 2017
Step 2. Manually update NGINX
I grabbed the configure arguments from nginx -V
then only addition was --with-openssl=/usr/local/src/openssl-1.0.2k/
then.
# nginx -V
nginx version: nginx/1.10.2
built with OpenSSL 1.0.1e-fips 11 Feb 2013
# cd /usr/local/src/
# wget http://nginx.org/download/nginx-1.10.3.tar.gz
# tar zxvf nginx-1.10.3.tar.gz
# cd nginx-1.10.3
# ./configure --with-openssl=/usr/local/src/openssl-1.0.2k/
I needed to install a bunch of stuff at this point:
# yum groupinstall development
# yum install perl-ExtUtils-Embed geoip geoip-devel google-perftools google-perftools-devel -y
This got be through ./configure I then had a load of issues with make refering to fPIC / openssl no matter how I recomiled openssl it just didn’t work so I found a cheat:
# export CC="gcc -fPIC"
# export CXX="g++ -fPIC"
# make
# make install
# env -i bash
# systemctl restart nginx
# nginx -V
nginx version: nginx/1.10.3
built with OpenSSL 1.0.2k 26 Jan 2017
Enable HTTP/2
Step 1. In your nginx config file, change;
server {
listen 443;
ssl on;
to
server {
listen 443 http2;
ssl on;
Step 2. Restart Nginx
Easy.