This question is kind of related to this Why is ALPN not supported by my server?
But in my case, the same test does say that ALPN is supported even if I am not using OpenSSL1.0.2 and only OpenSSL1.0.1t
I am currently using Apache2.4.25 with h2 activated. But it still bothers me that ALPN is supported even if my OpenSSL is supposed to not support it?
My http2.conf in conf-enabled:
Protocols h2 h2c http/1.1
H2Push on
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
Output from LDD:
╰─➤ ldd /usr/sbin/apache2 1 ↵
linux-vdso.so.1 (0x00007ffc4d593000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa1c2492000)
libaprutil-1.so.0 => /usr/lib/x86_64-linux-gnu/libaprutil-1.so.0 (0x00007fa1c2269000)
libapr-1.so.0 => /usr/lib/x86_64-linux-gnu/libapr-1.so.0 (0x00007fa1c2034000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa1c1e17000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa1c1a6c000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007fa1c1867000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa1c165f000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa1c1428000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa1c1224000)
libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007fa1c0ffb000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa1c29a5000)
Counterquestions is appreciated!
The
lddoutput doesn't include any reference tolibssl.so. This indicates that your Apache uses a statically linked version of the SSL library which means that the OpenSSL is included in the Apache2 binary file.So, your Apache2 does not use the SSL library on your system.
I cannot find any other explanation than suggesting you might have two versions of openSSL installed (or the test results are wrong).
Apache2's mod_http2 is based on nghttp2, and its docs (https://nghttp2.org/documentation/nghttpx-howto.html#alpn-support) state:
Curiously, the release notes for 1.0.1t (https://www.openssl.org/news/openssl-1.0.1-notes.html) mention:
Tracking down that message leads to https://github.com/openssl/openssl/commit/1316ca80f4e1dc9339572c780d495f995fe0bad0.
That however seems to only have contributed code to 1.1.0 - I could not find evidence of its changes in 1.0.1t.
In theory, ALPN and NPN are very closely related (https://hpbn.co/transport-layer-security-tls/#application-layer-protocol-negotiation-alpn) - the main difference between the two being who announces the protocols. But I simply cannot find a logical explanation to your findings, so have to ask if you are certain of your premises.
You can serve HTTP/2 without ALPN (I checked using the test/tool you linked to), but I cannot find anything to explain why ALPN would be shown as supported.
The only other lead I could find is a bug report for RH, where this issue is discussed at some length:
https://bugzilla.redhat.com/show_bug.cgi?id=1276310
There are suggestions that the RH team may do something about it, but I don't see any clear indication of a backport of ALPN into 1.0.1. And don't know whether a RedHat related discussion is relevant in your case.
It seems like apache 2.4.25 from the testing repo is compiled toghether with libssl 1.0.2, that explains why the server has ALPN support even if OpenSSL1.0.2 is not installed on the system.
I can't comment on the ALPN question directly, but
lddshouldn't be used on/usr/sbin/apache2unlessapachectl -Mindicates that ssl_module or http2_module are static instead of shared (shared being the default for most modules). useldd $(locate mod_ssl.so)resp.ldd $(locate mod_http2.so)instead. From there it should be possible to find out against which version you are really linked.