Update cPanel to TLS 1.2 without modifying system files [php5 + curlssl + apache2.4.x]
This guide will work through minor revisions of Apache 2.4.x and php5.x tree updates. May need to be updated for future major revisions but should generally work the same.
First we need to compile our own openssl. I do all my building in /home/compile you can do yours wherever though.
This will install openssl to /usr/local/ssl. Now we need to precompile curlssl
That will install curl to /opt/curlssl Now we need to configure EasyApache to use what we've done.
Here we need to create two files.
open all_php5 in an editor and place this inside
Open Apache2_4 in an editor and place this inside
For perfect forwarding secrecy and high encryption ratings follow this next step to save yourself a step later
Now in WHM goto EasyApache, Select build from current profile or choose any options you wanna add, build your server, restart apache, and boom. TLS 1.2 that'll survive updates, and passes security testing. Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com
wget 'http://www.openssl.org/source/openssl-1.0.1e.tar.gz'
tar -zxf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
./config shared -fPIC
make
make install
This will install openssl to /usr/local/ssl. Now we need to precompile curlssl
rm -rf /opt/curlssl
wget 'http://curl.haxx.se/download/curl-7.33.0.tar.gz'
tar -zxf curl-7.33.0.tar.gz
cd curl-7.33.0
./configure \
--prefix=/opt/curlssl \
--with-ssl=/usr/local/ssl \
--enable-http \
--enable-ftp \
LDFLAGS=-L/usr/local/ssl/lib \
CPPFLAGS=-I/usr/local/ssl/include
make
make install
That will install curl to /opt/curlssl Now we need to configure EasyApache to use what we've done.
cd /var/cpanel/easy/apache/rawopts
Here we need to create two files.
touch all_php5
touch Apache2_4
open all_php5 in an editor and place this inside
--enable-ssl
--with-ssl=/usr/local/ssl
--with-curl=/opt/curlssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include
Open Apache2_4 in an editor and place this inside
--with-ssl=/usr/local/ssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include
For perfect forwarding secrecy and high encryption ratings follow this next step to save yourself a step later
- ]
- Login to your WHM
- Choose Apache Configuration from the left
- Choose include editor
- Under Pre VirtualHost Include choose all versions and place the following code in the box.
SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
Now in WHM goto EasyApache, Select build from current profile or choose any options you wanna add, build your server, restart apache, and boom. TLS 1.2 that'll survive updates, and passes security testing. Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com
-
Hello :) Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server. Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum. Thank you. 0 -
Yes! cPanel will NOT support this. At all. Nor will CentOS or anyone else. As a matter of fact, it took me a couple of days of building my own CentOS server and compiling all software from scratch before I knew what all I needed to do to do this on a cPanel server. I purposely left out change directory commands and such so that people who weren't adept enough to administrate this probably wouldn't even get cPanel to run the compile they made. If not completed just right it will fail and go back to your last working build. With that being said. Two things. 1) If you ever want to remove this it's very simple to do. cd /var/cpanel/easy/apache/rawopts rm -rf all_php5 Apache2_4 rm -rf /opt/curlssl rm -rf /usr/local/ssl
Login to WHM and choose apache configuration on the left, choose includes, pre virtualhost includes all versions, remove the lines we added there. Goto easyapache and rebuild your web server and everything is back to normal. I'm using it successfully on 3 production servers. The only customers that even noticed the change were the ones that were complaining they were having a fight with the compliance scans for stores so they could display their little our site is safe seal. 2) If anyone has any questions, I get email notices and will respond when able, between clients during the day.0 -
I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned. 0 -
[quote="wired420, post: 1505481">I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned.
This is awesome. Thank you for your work on this! Looking forward to your follow up posts.0 -
[quote="wired420, post: 1497601">This guide will work ...
Many thanks man. You are a life saver; successfully followed in your steps (CENTOS 5.10 i686,WHM 11.38.2 (build 12)). Wish cpanel got their finger out and implemented this feature request. Too much to ask I guess :/0 -
A very nice workaround, and I was hopeful, but it did not work for me. Centos 5.10, 64 bit, WHM 11.40.0 b19 The build process complained of incompatible libraries and other stuff and make exited with errors. I am hopeful that Cpanel will implement this feature as well, soon. I am especially anxious to implement PFS. 0 -
Given their "dedication to security" it only make sense that they'd ship a rpm for openssl to lock things down further 0 -
If you configure OpenSSL to install to /opt/ssl then EasyApache will detect it, and automatically use that version when compiling Apache and PHP. 0 -
[quote="cPanelKenneth, post: 1513762">If you configure OpenSSL to install to /opt/ssl then EasyApache will detect it, and automatically use that version when compiling Apache and PHP.
Thank you cPanelKenneth! wired420, based on what cPanelKenneth said here, are there any changes you'd make to your earlier instructions?0 -
Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html When CentOS and CloudLinux will provide 6.5, this workaround might not be needed anymore, tho I'm not yet sure if it supports elliptic curves. 0 -
[quote="InterServed, post: 1515111">Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html When CentOS and CloudLinux will provide 6.5, this workaround might not be needed anymore, tho I'm not yet sure if it supports elliptic curves.
That is great news! How long before that reaches us downstream in cPanel?0 -
[quote="bellwood, post: 1513602">Given their "dedication to security" it only make sense that they'd ship a rpm for openssl to lock things down further
It's not exactly that easy. There are kernel modules and such built against the system SSL. Would require rebuilding the entire distro. This just allows you to install a secondary version and activate it while the rest of the box continues to work on OpenSSL 1.0.0c0 -
Many thanks for posting. I spent hours trying to find a workable solution for PFS. Yours did the trick. :-) Just as a friendly reminder, your ssllabs test shows your server is vulnerable to heartbleed. A quick update to SSL 1.0.1g will solve this. Thank you again for your post. 0 -
Thanks for the post, it works great. The touch all_php5 and touch Apache2_4 is not needed in most cases because EasyApache automatically detects the custom OpenSSL. Please don't forget to update OpenSSL to version 1.0.1g and run EasyApache to prevent the HeartBleed security bug! 0 -
Everyone still using this without issue? I'm late to the discussion, but couldn't cPanel quite easily support this natively? That is, installing OpenSSL 1.0.1 along side the existing for RHEL5 distros. Not a replacement, which might break other things, but to run alongsie 0.9.8 like in wired420's solution. 0 -
After seeing the popular demand for it, I will pull this section out of our custom installers for my company and put it into a self contained bash script. Will be releasing a constantly updated installer via GIT to keep this in place shortly. Installer will update an old version just by rerunning installer after editing the config with the new version numbers. (Also cause I'm tired of updating it by hand every time there is a new bug). 0 -
Wired- would you be able to help me out just a bit? I've got openssl 1.0.1j installed per your instructions, but WHM still can't use TLS 1.1 or 1.2. # openssl version OpenSSL 1.0.1j 15 Oct 2014
When I add the Pre Main Include I get the following syntax error:Configuration problem detected on line 1 of file /usr/local/apache/conf/includes/pre_main_global.conf.tmp: SSLProtocol: Illegal protocol 'TLSv1.2' --- /usr/local/apache/conf/includes/pre_main_global.conf.tmp --- 1 ===> SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3 <=== 2SSLCompression off 3SSLHonorCipherOrder on 4SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA- ES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256- GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256- SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE- RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA --- /usr/local/apache/conf/includes/pre_main_global.conf.tmp ---
0 -
Regretably it seems a change has been made to Easyapache which blocks the suggested path here. Frustrating to find this out AFTER spending time trying to do this manually but can't find anything to indicate this change in policy... 0 -
I have a server with Apache 2.2.29 php 5.3.29 WHM 11.30.6 (build 3) CENTOS 5.7 i686 standard I try the upgrade below but I'm getting error when I recompile apache (see below) is there a way around this, does this even work with my server? thanks! jy configure: warning: CPPFLAGS=-I/usr/local/ssl/include: invalid host type configure: warning: LDFLAGS=-L/usr/local/ssl/lib: invalid host type configure: error: can only configure for one host and one target at a time !! './configure --disable-fileinfo --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-magic-quotes --enable-mbstring --enable-pdo=shared --enable-sockets --enable-ssl --prefix=/usr/local --with-apxs2=/usr/local/apache/bin/apxs --with-curl=/opt/curlssl/ --with-curl=/opt/curlssl --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-png-dir=/usr --with-sqlite=shared --with-ssl=/usr/local/ssl --with-xpm-dir=/usr --with-zlib --with-zlib-dir=/usr CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib' failed with exit code '256' !! !! Restoring original working apache !! !! Executing '/usr/local/cpanel/scripts/initsslhttpd' !! !! Restarting 'httpd' ... !! !! 'httpd' restart complete. !! Building global cache for cpanel...Done !! Executing '/usr/local/cpanel/scripts/initfpsuexec' !! !! Executing '/usr/local/cpanel/scripts/initsslhttpd' !! !! Executing '/usr/local/cpanel/scripts/update_apachectl' !! !! Executing '/usr/local/cpanel/scripts/enablefileprotect' !! !! Verbose logfile is at '/usr/local/cpanel/logs/easy/apache/build.1465491860' !!
0 -
I am using the following which works well: #build custom /opt/openssl cd /usr/local/src/ wget MYCUSTOMURL/openssl-1.0.1t.tar.gz (can't wget from https://www.openssl.org/source/openssl-1.0.1t.tar.gz due to TLSv1.2 being required) tar -zxf openssl-1.0.1t.tar.gz cd openssl-1.0.1t ./config shared -fPIC --prefix=/opt/openssl make && make install #build custom /opt/curlssl but put original in place until ready to run easyapache (I like to get it all ready ahead of running easyapache) cd /usr/local/src/ mv /opt/curlssl.orig /opt/curlssl.orig2 wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate tar -zxf curl-7.45.0.tar.gz cd curl-7.45.0 env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp make mv /opt/curlssl /opt/curlssl.orig.`date +%F` make install mv /opt/curlssl /opt/curlssl.new mv /opt/curlssl.orig.`date +%F` /opt/curlssl
#make new /opt/curlssl active for easyapache and run it mv /opt/curlssl /opt/curlssl.orig.`date +%F` mv /opt/curlssl.new /opt/curlssl LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18 /scripts/easyapache --build
0 -
Hi, I did the above but Still Have issue, how make SSL library that support TLS 1.1 and 1.2 is installed and supported by cURL. 0 -
I did the above but Still Have issue
Could you provide more details about the specific issue or error message you are facing? Thank you.0 -
[QUOTE]env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt
I am trying the above, but on the "env LDFLAGS..." command I receive the error: checking for gcc... gcc checking whether the C compiler works... no configure: error: in `/usr/local/src/curl-7.45.0': configure: error: C compiler cannot create executables See `config.log' for more details I was thinking this was a gcc++ error, but: Package gcc-c++-4.8.5-4.el7.x86_64 already installed and latest version Nothing to do This is on a newly built WHM 56.0.35, CentOS7, Apache 2.4 server Anyone know how to correct this, thank you!0 -
[QUOTE]env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt
I am trying the above, but on the "env LDFLAGS..." command I receive the error: checking for gcc... gcc checking whether the C compiler works... no configure: error: in `/usr/local/src/curl-7.45.0': configure: error: C compiler cannot create executables See `config.log' for more details I was thinking this was a gcc++ error, but: Package gcc-c++-4.8.5-4.el7.x86_64 already installed and latest version Nothing to do This is on a newly built WHM 56.0.35, CentOS7, Apache 2.4 server Anyone know how to correct this, thank you!
Why are you attempting this since you are on CentOS 7 which already supports openssl-1.0.1?0 -
Why are you attempting this since you are on CentOS 7 which already supports openssl-1.0.1?
As I understand it, some of the applications on our server (Magento extensions for credit card processing, etc.) are only working with curl compiled with openssl. The version of curl in CentOS7 is compiled with nss and not openssl which is causing our curl https requests to fail. ]# curl -V curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3 # php -i | grep "SSL Version" SSL Version => OpenSSL/1.0.1e So I was going to try this method to recompile. The other possibility I am looking into is the curl (56) reset by peer that is happening (this is a new server we just provisioned and our testing the payment gateways with their demo URL) could be from the apache global configuration cipher suite not being correct. It is set as the cpanel default at the moment. Thanks for replying!0 -
As I understand it, some of the applications on our server (Magento extensions for credit card processing, etc.) are only working with curl compiled with openssl. The version of curl in CentOS7 is compiled with nss and not openssl which is causing our curl https requests to fail.
Check to see if the solution on the following thread would help in this circumstance: curl_exec error 60 SSL certificate problem: unable to get local issuer certificate Thank you.0 -
I'm a complete newb trying to update my VPS (CENTOS 6.7 x86_64 / WHM 60.0 (build 28)). I've run into an issue during the 2nd step (install curl). Below is the error I'm getting. Any help would be greatly appreciated. /usr/bin/ld: warning: libssl.so.1.0.0, needed by ../lib/.libs/libcurl.so, not found (try using -rpath or -rpath-link) /usr/bin/ld: warning: libcrypto.so.1.0.0, needed by ../lib/.libs/libcurl.so, not found (try using -rpath or -rpath-link)
followed by a list of "../lib/.libs/libcurl.so: undefined reference to" followed bycollect2: ld returned 1 exit status make[2]: *** [curl] Error 1 make[2]: Leaving directory `/usr/local/src/curl-7.33.0/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/local/src/curl-7.33.0/src' make: *** [all-recursive] Error 1
0 -
Hello :) Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server. Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum. Thank you.
can tell me how to upgrade curl in cpanle0 -
I am using the following which works well:
#build custom /opt/openssl cd /usr/local/src/ wget MYCUSTOMURL/openssl-1.0.1t.tar.gz (can't wget from https://www.openssl.org/source/openssl-1.0.1t.tar.gz due to TLSv1.2 being required) tar -zxf openssl-1.0.1t.tar.gz cd openssl-1.0.1t ./config shared -fPIC --prefix=/opt/openssl make && make install #build custom /opt/curlssl but put original in place until ready to run easyapache (I like to get it all ready ahead of running easyapache) cd /usr/local/src/ mv /opt/curlssl.orig /opt/curlssl.orig2 wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate tar -zxf curl-7.45.0.tar.gz cd curl-7.45.0 env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp make mv /opt/curlssl /opt/curlssl.orig.`date +%F` make install mv /opt/curlssl /opt/curlssl.new mv /opt/curlssl.orig.`date +%F` /opt/curlssl
#make new /opt/curlssl active for easyapache and run it mv /opt/curlssl /opt/curlssl.orig.`date +%F` mv /opt/curlssl.new /opt/curlssl LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18 /scripts/easyapache --build
Thank you for this! I was trying to use the Stripe Payment Gateway for WHMCS and had been pulling my hair out. Your solution worked for me perfectly. Several payment processors, like Stripe and Braintree are now only accepting TLS v1.2 connections, so this is a huge relief! Stripe: Upgrading to SHA-2 and TLS 1.2 Braintree (PayPal): Updating Your Production Environment to Support TLSv1.2 Cheers! ==== CENTOS 6.8 x86_64 virtuozzo WHM 60.0 (build 34)0
Please sign in to leave a comment.
Comments
29 comments