System: CENTOS 6.5 x86_64 in virtuozzo VPS, WHM 11.40.1 (build 9)
Centos 6.5 finally upgraded openssl to version 1.0.1e, offering the ability to use cipher suites allowing to implement Forward Secrecy in SSL connections.
We did not encounter any problem implementing FS in Apache and the web hosting. However, the WHM service on port 2087 and the cPanel services on ports 2083 and 2096 don't take advantage of the new ciphers regardless of appropriate settings in the Cpanel Web Services Configuration cipher field.
According to our checks, upgrading some old SSL-related perl modules does not change cpsrvd-ssl behavior. There is also no source code we can study since cpsrvd-ssl seems to be distributed only in binary form.
As a temporary replacement solution, we then attempted to use stunnel, and realised that version 4.29 as provided by default on CentOS 6.5 is also severely outdated, since the latest stunnel version is 4.56. We then compiled stunnel sources with the same settings as the vendor-supplied specs.
To our surprise, every custom compiled stunnel binary dies with an "out of memory" message after the first few ssl connections, regardless of the stunnel version (we attempted to compile 4.29, 4.53, 4.55 and 4.56). No errors are thrown during compilation/linking, and all dependencies seem to be satisfied.
At this stage, we don't know where to investigate further. Has anyone achieved to get ECC ciphers working with cPanel's native ssl on CentOS ? Has anyone achieved to compile or install a functional stunnel version higher than the stock 4.29 ?
Any suggestion would be very appreciated...
Thank you all.
Centos 6.5 finally upgraded openssl to version 1.0.1e, offering the ability to use cipher suites allowing to implement Forward Secrecy in SSL connections.
We did not encounter any problem implementing FS in Apache and the web hosting. However, the WHM service on port 2087 and the cPanel services on ports 2083 and 2096 don't take advantage of the new ciphers regardless of appropriate settings in the Cpanel Web Services Configuration cipher field.
According to our checks, upgrading some old SSL-related perl modules does not change cpsrvd-ssl behavior. There is also no source code we can study since cpsrvd-ssl seems to be distributed only in binary form.
As a temporary replacement solution, we then attempted to use stunnel, and realised that version 4.29 as provided by default on CentOS 6.5 is also severely outdated, since the latest stunnel version is 4.56. We then compiled stunnel sources with the same settings as the vendor-supplied specs.
To our surprise, every custom compiled stunnel binary dies with an "out of memory" message after the first few ssl connections, regardless of the stunnel version (we attempted to compile 4.29, 4.53, 4.55 and 4.56). No errors are thrown during compilation/linking, and all dependencies seem to be satisfied.
At this stage, we don't know where to investigate further. Has anyone achieved to get ECC ciphers working with cPanel's native ssl on CentOS ? Has anyone achieved to compile or install a functional stunnel version higher than the stock 4.29 ?
Any suggestion would be very appreciated...
Thank you all.
