How-to: Enable HTTP/2 in Apache/Nginx/cURL

First I installed latest opessl version.
See https://forum.directadmin.com/showthread.php?t=48721

But now I am unable to enable HTTP/2

# make install

Code:
shlib_target=; if [ -n "" ]; then \
        shlib_target="linux-shared"; \
elif [ -n "" ]; then \
  FIPSLD_CC="gcc"; CC=/usr/local/ssl/fips-2.0/bin/fipsld; export CC FIPSLD_CC; \
fi; \
LIBRARIES="-L.. -lssl  -L.. -lcrypto" ; \
make -f ../Makefile.shared -e \
        APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o" \
        LIBDEPS=" $LIBRARIES -ldl" \
        link_app.${shlib_target}
make[2]: Entering directory `/usr/local/src/openssl-1.0.2h/apps'
( :; LIBDEPS="${LIBDEPS:--L.. -lssl  -L.. -lcrypto -ldl}"; LDCMD="${LDCMD:-gcc}"; LDFLAGS="${LDFLAGS:--DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM}"; LIBPATH=`for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o ${LIBDEPS} )
enc.o: In function `enc_main':
enc.c:(.text+0x11c6): undefined reference to `BIO_f_zlib'
collect2: error: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[2]: Leaving directory `/usr/local/src/openssl-1.0.2h/apps'
make[1]: *** [openssl] Error 2
make[1]: Leaving directory `/usr/local/src/openssl-1.0.2h/apps'
make: *** [build_apps] Error 1
 
please update the how to's and make tread for nginx only and apache only




It's most likely that your OpenSSL does not support ALPN extension, that's why it's difficult to get HTTP/2 running with Apache. Please follow these steps to get HTTP/2 enabled with Apache:
1) Install OpenSSL, with ALPN support:
Code:
wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz
tar xzf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
./config --prefix=/usr/local/lib_http2 no-ssl2 no-ssl3 zlib-dynamic -fPIC
make depend
make install

2) Install nghttp2:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build [COLOR=#000000]nghttp2[/COLOR]

3) Enable http2 in Apache:
Code:
cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2
cp -p configure/ap2/configure.apache custom/ap2/configure.apache

Edit custom/ap2/configure.apache, find:
Code:
    "--with-ssl=/usr" \

Replace with:
Code:
    "--enable-http2" \
    "--enable-ssl-staticlib-deps" \
    "--with-ssl=/usr/local/lib_http2" \

Re-install apache:
Code:
./build apache

4) Configure Apache to run http2:
Code:
echo 'ProtocolsHonorOrder On' >> /etc/httpd/conf/extra/httpd-includes.conf
echo 'Protocols h2 h2c http/1.1' >> /etc/httpd/conf/extra/httpd-includes.conf

Update SSL Ciphers in /etc/httpd/conf/extra/httpd-ssl.conf:
Code:
cd /usr/local/directadmin/custombuild
./build rewrite_confs

Restart apache now :) It's recommended to run PHP in PHP-FPM mode, so that PHP wouldn't be installed as a module of Apache (otherwise you might have openssl library conflict, if PHP is compiled as apache module and uses the old (OS) version of openssl).

To enable HTTP/2 in cURL, add the following code to /usr/local/directadmin/custombuild/custom/curl/configure.curl:
Code:
#!/bin/sh
LIBS="-ldl" ./configure --with-nghttp2=/usr/local --with-ssl=/usr/local/lib_http2

And execute:
Code:
cd /usr/local/directadmin/custombuild
chmod 700 custom/curl/configure.curl
./build curl

To enable HTTP/2 in Nginx:
Code:
cd /usr/local/src/
wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz
tar xzf openssl-1.0.2h.tar.gz

For standalone Nginx:
Code:
cd /usr/local/directadmin/custombuild[FONT=Menlo]
[/FONT]mkdir -p custom/nginx
cp -p configure/nginx/configure.nginx custom/nginx/configure.nginx

For Nginx_Apache:
Code:
cd /usr/local/directadmin/custombuild[FONT=Menlo]
[/FONT]mkdir -p custom/nginx_reverse
cp -p configure/nginx_reverse/configure.nginx custom/nginx_reverse/configure.nginx
Build Nginx with statically linked OpenSSL library:
1) Edit configure.nginx which was copied to custom/ folder
2) Add "--with-openssl=/usr/local/src/openssl-1.0.2h" flag
3) Run "./build nginx"
4) Execute:
Code:
cd /usr/local/directadmin/data/templates/
cp -fp nginx_server_secure.conf custom/nginx_server_secure.conf
cp -fp nginx_server_secure_sub.conf custom/nginx_server_secure_sub.conf
perl -pi -e 's#listen \|IP\|:\|PORT_443\| ssl#listen |IP|:|PORT_443| ssl http2#g' custom/nginx_server_secure.conf custom/nginx_server_secure_sub.conf
cd /usr/local/directadmin/custombuild
./build rewrite_confs
 
Hi,

Do you also have an updated version for CentOS 7 with DirectAdmin and Apache.

Since the original manual that you wrote does not work on CentOS 7
 
No one has an answer for CentOS 7?
Still getting this error on the ./build apache

Last few lines:

/usr/local/directadmin/custombuild/httpd-2.4.23/srclib/apr/libtool --silent --mode=link gcc -std=gnu99 -pthread -I/usr/local/include -L/usr/local/lib -o httxt2dbm httxt2dbm.lo -lsystemd -lz /usr/local/directadmin/custombuild/httpd-2.4.23/srclib/apr-util/libaprutil-1.la -lexpat -liconv /usr/local/directadmin/custombuild/httpd-2.4.23/srclib/apr/libapr-1.la -lrt -lcrypt -lpthread -ldl
ab.o: In function `ssl_state_cb':
ab.c:(.text+0x591): undefined reference to `SSL_state'
ab.o: In function `ssl_print_info':
ab.c:(.text+0xa6d): undefined reference to `sk_num'
ab.c:(.text+0xa90): undefined reference to `sk_value'
ab.o: In function `test':
ab.c:(.text+0x4a4c): undefined reference to `SSL_state'
ab.o: In function `main':
ab.c:(.text+0x5606): undefined reference to `SSLv23_client_method'
ab.c:(.text+0x5d67): undefined reference to `SSLv23_client_method'
ab.c:(.text+0x5ffa): undefined reference to `SSL_load_error_strings'
ab.c:(.text+0x5fff): undefined reference to `SSL_library_init'
collect2: error: ld returned 1 exit status
make[2]: *** [ab] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.23/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.23/support'
make: *** [all-recursive] Error 1

*** The make has failed, would you like to try to make again? (y,n):
 
No one has an answer for CentOS 7?
Still getting this error on the ./build apache

Last few lines:


You're likely using version of OpenSSL not specified in this (updated) tutorial.




You should be using 2016-Sep-26 10:04:14 openssl-1.0.2j.tar.gz


*********************

https://www.openssl.org/news/changelog.html

Changes between 1.0.2h and 1.1.0 [25 Aug 2016]

"Notably the SSL_state() function
has been removed and replaced by SSL_get_state which now returns an
"OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
altogether. The previous handshake states defined in ssl.h and ssl3.h have
also been removed."
 
No, they are not. Directadmin does not install OpenSSL, it uses by default the one installed from OS repos.
 
DA could provide an updated openssl version on their servers and manage it with CB.
http/2. It will make servers running DA better! I'm also very eager to use http/2.

HTTP/2 supports queries multiplexing, headers compression, priority and more intelligent packet streaming management. This results in reduced latency and accelerates content download on modern web pages.
 
plz help my fix error
/usr/local/directadmin/custombuild/custom/nginx/configure.nginx: line 20: --with-openssl=/usr/local/src/openssl-1.0.2j: No such file or directory
/usr/local/directadmin/custombuild/custom/nginx/configure.nginx: line 21 not found command --with-http_v2_module
 
Make sure you've got OpenSSL sources under /usr/local/src/openssl-1.0.2j or adjust the line to fit your needs.
 
help me please


Code:
Trying to make Nginx...
make -f objs/Makefile
make[1]: Entering directory `/usr/local/directadmin/custombuild/nginx-1.10.1'
cd /usr/local/src/openssl-1.0.2j \
        && if [ -f Makefile ]; then make clean; fi \
        && ./config --prefix=/usr/local/src/openssl-1.0.2j/.openssl no-shared  \
        && make \
        && make install_sw LIBDIR=lib
make[2]: Entering directory `/usr/local/src/openssl-1.0.2j'
rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
making clean in crypto...
make[3]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto'
make[3]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
making clean in crypto/objects...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/objects'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/objects'
making clean in crypto/md4...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/md4'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/md4'
making clean in crypto/md5...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/md5'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/md5'
making clean in crypto/sha...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/sha'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/sha'
making clean in crypto/mdc2...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/mdc2'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/mdc2'
making clean in crypto/hmac...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/hmac'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/hmac'
making clean in crypto/ripemd...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ripemd'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ripemd'
making clean in crypto/whrlpool...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/whrlpool'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/whrlpool'
making clean in crypto/des...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/des'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj des lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/des'
making clean in crypto/aes...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/aes'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/aes'
making clean in crypto/rc2...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/rc2'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/rc2'
making clean in crypto/rc4...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/rc4'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/rc4'
making clean in crypto/idea...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/idea'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/idea'
making clean in crypto/bf...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/bf'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/bf'
making clean in crypto/cast...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/cast'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/cast'
making clean in crypto/camellia...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/camellia'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/camellia'
making clean in crypto/seed...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/seed'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/seed'
making clean in crypto/modes...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/modes'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/modes'
making clean in crypto/bn...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/bn'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/bn'
making clean in crypto/ec...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ec'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ec'
making clean in crypto/rsa...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/rsa'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/rsa'
making clean in crypto/dsa...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/dsa'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/dsa'
making clean in crypto/ecdsa...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ecdsa'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ecdsa'
making clean in crypto/dh...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/dh'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/dh'
making clean in crypto/ecdh...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ecdh'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ecdh'
making clean in crypto/dso...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/dso'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/dso'
making clean in crypto/engine...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/engine'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/engine'
making clean in crypto/buffer...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/buffer'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/buffer'
making clean in crypto/bio...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/bio'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/bio'
making clean in crypto/stack...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/stack'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/stack'
making clean in crypto/lhash...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/lhash'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/lhash'
making clean in crypto/rand...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/rand'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/rand'
making clean in crypto/err...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/err'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/err'
making clean in crypto/evp...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/evp'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/evp'
making clean in crypto/asn1...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/asn1'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/asn1'
making clean in crypto/pem...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/pem'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/pem'
making clean in crypto/x509...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/x509'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/x509'
making clean in crypto/x509v3...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/x509v3'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/x509v3'
making clean in crypto/conf...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/conf'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/conf'
making clean in crypto/txt_db...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/txt_db'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/txt_db'
making clean in crypto/pkcs7...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/pkcs7'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/pkcs7'
making clean in crypto/pkcs12...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/pkcs12'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/pkcs12'
making clean in crypto/comp...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/comp'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/comp'
making clean in crypto/ocsp...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ocsp'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ocsp'
making clean in crypto/ui...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ui'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ui'
making clean in crypto/krb5...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/krb5'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/krb5'
making clean in crypto/cms...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/cms'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/cms'
making clean in crypto/pqueue...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/pqueue'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/pqueue'
making clean in crypto/ts...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/ts'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff enc dec sign verify
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/ts'
making clean in crypto/srp...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/srp'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/srp'
making clean in crypto/cmac...
make[4]: Entering directory `/usr/local/src/openssl-1.0.2j/crypto/cmac'
make[4]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
make[4]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto/cmac'
make[3]: Leaving directory `/usr/local/src/openssl-1.0.2j/crypto'
making clean in ssl...
make[3]: Entering directory `/usr/local/src/openssl-1.0.2j/ssl'
make[3]: warning: jobserver unavailable: using -j1.  Add `+' to parent make rule.
make[3]: *** No rule to make target `clean'.  Stop.
make[3]: Leaving directory `/usr/local/src/openssl-1.0.2j/ssl'
make[2]: *** [clean] Error 1
make[2]: Leaving directory `/usr/local/src/openssl-1.0.2j'
make[1]: *** [/usr/local/src/openssl-1.0.2j/.openssl/include/openssl/ssl.h] Error 2
make[1]: Leaving directory `/usr/local/directadmin/custombuild/nginx-1.10.1'
make: *** [build] Error 2

*** The make has failed, would you like to try to make again? (y,n):
 
I always followed this tutorial, however the combination of it all contains a bug. Could everyone test if their websites based on a server with nginx as reverse proxy and http2 enabled can be reached with the Safari browser on MacOS (or iPhone/Ipad)?

We found out that users with Safari on MacOS could not connect to websites on our server. After many debugging we found out that this was the issue: https://trac.nginx.org/nginx/ticket/915.
If it does work please make sure to do a hard refresh to avoid caching.

Our situation:
- Nginx 1.11.6 reverse proxy with Apache 2.4.23
- http2 enabled in both Nginx AND Apache (just tested it with only http2 in nginx and not in apache, didnt make a difference).

Chrome (or any other browser) on MacOS does not have this issue, it is only Safari.
 
Last edited:
I did some further testing:

[root@web1 custombuild]# /usr/local/bin/curl -v -4 -I -L -k -X GET https://www.<domain>.<ext>
* Rebuilt URL to: https://www.<domain>.<ext>
* Trying <IPv4>
* TCP_NODELAY set
* Connected to www.<domain>.<ext> (<ipv4>) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP2 (h2)
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL; CN=www.<domain>.<ext>
* start date: Sep 16 00:00:00 2015 GMT
* expire date: Sep 15 23:59:59 2017 GMT
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x22ac390)
> GET / HTTP/1.1
> Host: www.<domain>.<ext>
> User-Agent: curl/7.51.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Curl_http_done: called premature == 1
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

It does not seem to matter if Apache supports http2 or not, if Nginx has http2 enabled.
 
"ERROR / BUG" extra advice / manual when using this take care of when Updating Apache to 2.4.25 you have problems with https sites, i solved this with following >

http://forum.directadmin.com/showthread.php?t=48989&page=17&p=277732#post277732

Don't know if others have this problem to but thought would be interesting for other readers / forumusers if so?

Also sorry for this kind of double post i don't know or its related to this HTTP2, or the Apche update 2.4.23 to 2.4.25 or Custumbuild 2.0 itself or a combination of any of thes? ( If other has the same maybe by searching on the web they can find it both ways.)

FORUMADMIN/MOD please take care to change this to the right part of the forum, because i don't know for the moment where to put these info's while i don't know to what part this behaviour is related. ?


Also mention here there is a version 1.0.2k https://www.openssl.org/news/cl102.txt

OpenSSL CHANGES
_______________

Changes between 1.0.2j and 1.0.2k [xx XXX xxxx]

*) Montgomery multiplication may produce incorrect results

There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.

This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
(CVE-2016-7055)
[Andy Polyakov]

*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]

Problem still exist after Apache 2.4.25 Update we have to restart (every night after start) phpfpm and httpd

So have you to repeat this install stepps for http2 so if yes wich steps?
 
Last edited:
I am running in a similar problem, since updating to Apache 2.4.25.

After a while HTTPS sites stop working, Chrome reports a ERR_SPDY_PROTOCOL_ERROR. Firefox gives a generic SSL error.

I don't quite follow ikkeben's posts, I think they are pointing at an OpenSSL issue.
I don't believe it to be an OpenSSL issue, I have been running 1.0.2e for almost a year with HTTP2 and haven't had any issues until the update to Apache 2.4.25.
I ran through the HTTP/2 commands in this thread to compile everything again is case there was mismatch somewhere.

If I compile Apache without the ""--enable-http2" " bit then it seems to work fine without the SSL sites stopping working.

If anyone has HTTP/2 and Apache 2.4.25 working without issues, I would happy to know how you did it :) In the mean time I think I will look to downgrade Apache to Apache/2.4.23 and see if that resolves the issue.
 
Back
Top