The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 87477] Unable to implement PF due to obsolete cpsrvd-ssl and stunnel

Discussion in 'Security' started by bytebeam, Jan 12, 2014.

  1. bytebeam

    bytebeam Registered

    Sep 23, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Website Owner
    System: CENTOS 6.5 x86_64 in virtuozzo VPS, WHM 11.40.1 (build 9)

    Centos 6.5 finally upgraded openssl to version 1.0.1e, offering the ability to use cipher suites allowing to implement Forward Secrecy in SSL connections.

    We did not encounter any problem implementing FS in Apache and the web hosting. However, the WHM service on port 2087 and the cPanel services on ports 2083 and 2096 don't take advantage of the new ciphers regardless of appropriate settings in the Cpanel Web Services Configuration cipher field.

    According to our checks, upgrading some old SSL-related perl modules does not change cpsrvd-ssl behavior. There is also no source code we can study since cpsrvd-ssl seems to be distributed only in binary form.

    As a temporary replacement solution, we then attempted to use stunnel, and realised that version 4.29 as provided by default on CentOS 6.5 is also severely outdated, since the latest stunnel version is 4.56. We then compiled stunnel sources with the same settings as the vendor-supplied specs.

    To our surprise, every custom compiled stunnel binary dies with an "out of memory" message after the first few ssl connections, regardless of the stunnel version (we attempted to compile 4.29, 4.53, 4.55 and 4.56). No errors are thrown during compilation/linking, and all dependencies seem to be satisfied.

    At this stage, we don't know where to investigate further. Has anyone achieved to get ECC ciphers working with cPanel's native ssl on CentOS ? Has anyone achieved to compile or install a functional stunnel version higher than the stock 4.29 ?

    Any suggestion would be very appreciated...

    Thank you all.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case number 87477 is open to address this issue. There is currently no specific time frame available for a resolution or workaround. I will update this thread with more information as it becomes available.

    Thank you.

Share This Page