cPanel and OpenSSL 1.0.1c (or higher)

[alphawolf50]

CentOS/RHEL versions 5.x and 6.x are stuck on OpenSSL versions 0.9.8e and 1.0.0, respectively. That means cPanels servers on these operating systems can't support TLS 1.1 or TLS 1.2. For those of us stuck at TLS 1.0, the only course of action to prevent the BEAST attack has been to force users to use RC4. However, RC4 is now officially broken (https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what). Sooo... what now?

Is there any chance cPanel can start shipping their own OpenSSL, or having EasyApache build against a more recent version? On a non-cPanel CentOS 6.4 machine, I've successfully updated OpenSSL to 1.0.1c using this:
https://www.axivo.com/community/threads/upgrade-to-openssl-1-0-1-in-centos.180
HOWEVER! This is not valid for a cPanel server (based in the info that site's forums).

There are a lot of other great reasons to upgrade to OpenSSL >=1.0.1.c... such as SNI support, OCSP stapling, elliptic curve cryptography...

I'll make this a feature request if need-be... I just wanted to find out if it was technically feasible for cPanel to ship their own OpenSSL (or other library) to allow the vast majority of their users (assumption) access to TLS 1.1 and 1.2.

 

[InterServed]

Another way to get latest 1.0.1e: /http://tech.fawk.eu/233/

The IUS repo do provide their own yum-replace technique which might make things easier. Note that i have not tested this YET , but i do plan to install a test-server/trial cpanel and in order to test and validate that openssl upgrade will work smoothly.

 

[alphawolf50]

Let me know how that goes once you've tested it

I'd still like to know if this is something cPanel could do. It would be a much "cleaner" way to upgrade a huge portion of the web to TLS 1.1+.

 

[InterServed]

Hi,

I have just tested to install a fresh copy of cPanel on a test machine and will attempt the openssl upgrade. Should return with results in average 1-2 hours.

 

[InterServed]

Hello again,

As promised , i have returned with results of the tests carried so far:

1) Fresh cPanel installed (11.36.0.18) on CentOS 6.4
2) Install required repository/tools (links are for CentOS 6 , you will need to edit them if you have a different OS)

wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-11.ius.centos6.noarch.rpm
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/epel-release-6-5.noarch.rpm
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/yum-plugin-replace-0.2.5-1.ius.centos6.noarch.rpm
rpm -Uvh ius-release-1.0-10.ius.centos6.noarch.rpm epel-release-6-5.noarch.rpm yum-plugin-replace-0.2.5-1.ius.centos6.noarch.rpm

3) Replace/upgrade openssl (you will be prompted with a warning about some dependencies but you can press y to continue

yum replace openssl --replace-with=openssl10

4) Add openssl* to /etc/yum.conf exclude line. It should look like this (if you don't add openssl* to yum exclude then easyapache will not work:

exclude=apache* bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail* [COLOR="#FF0000"]openssl*[/COLOR]

5) Rebuild Apache/php with EasyApache from WHM.
6) Everything should be done and working. For your convenience i also created a test account to provide public access to a phpinfo page on the system that i performed the openssl upgrade:

http://openssl.interserved.com/phpinfo.php]/http://openssl.interserved.com/phpinfo.php

As you can see on the phpinfo page , the openssl version is 1.0.1e

Results from command line:

[root@testlab ~]# openssl version
OpenSSL 1.0.1e 11 Feb 2013

[root@testlab ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e 11 Feb 2013

[root@testlab ~]# rpm -qa|grep openssl
openssl10-libs-1.0.1e-1.ius.el6.x86_64
openssl10-devel-1.0.1e-1.ius.el6.x86_64
openssl10-1.0.1e-1.ius.el6.x86_64

[root@testlab ~]# openssl ciphers
DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5

P.S. I'm not responsible for any damage this operations may cause if you chose to fallow them. This test was only performed once and i cannot make any guarantees. I will continue to monitor it's health and conduct more tests.

Update1:
[SSL Labs test]: https://www.ssllabs.com/ssltest/analyze.html?d=openssl.interserved.com
Apache Cipher used:

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:!AES:!AES256-SHA256:!AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!DES-CBC3-SHA

 

[alphawolf50]

That is fantastic! Awesome! Thank you for following up with your results! Now that you've proven it's technically possible... it would be reeeaaallly nice if cPanel would just update OpenSSL for us... say, for WHM 11.40? :D I think I'll add a feature request... I'll post the link here later for visibility.

 

[InterServed]

You're more than welcome. Hopefully cPanel will also look into this , carry more tests and maybe offer us this feature.
I haven't experience any problems so far with the openssl upgrade. I will keep doing tests and keep the testing machine alive until the cPanel trial license will expire or maybe cPanel will offer a developer license

 

[alphawolf50]

As promised, here is the feature request. Please vote yes everyone!

Provide OpenSSL 1.0.1c or Higher as cPanel RPM, to allow TLS 1.1, TLS 1.2 | cPanel Feature Requests

 

[InterServed]

Apparently I'm out of votes and i cannot vote it yet. Thanks for creating the feature request !

 

[alphawolf50]

Apparently I'm out of votes and i cannot vote it yet. Thanks for creating the feature request !

Yeah, I had to "rethink" a vote

You're very welcome. Creating the feature request was easy... you did the hard work of actually testing it! I'm considering setting up cPanel on CentOS 5 in a VM and testing that OS too. Couldn't hurt to give them more data

 

[InterServed]

Did more tests:
- Tested upgrade from Apache 2.2 to 2.4 (works without problems)
- Tested upgrade to the latest not-released cPanel 11.37 (works without problems)

 

[Robert Simpson]

Hi InterServed, looks like your RPM links are 404

You don't have up to date URLs do you?


Cheers,
Robert

UPDATE: Turns out it was only the first link and the file had been updated to a new version and that was reflected in the URL, which is now /http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-11.ius.centos6.noarch.rpm

 

[InterServed]

Hi,

Sorry for not tracking the URL , i just tried to edit my post but it's not allowed anymore. Maybe a cPanel mod could edit the bad url to the fixed one you provided. Hope my little guide will help you accomplish the openssl upgrade.

- - - Updated - - -

Forgot to mention that i use the following cipher now:

AES256-GCM-SHA384:RC4+SHA:DHE-RSA-CAMELLIA256-SHA

 

[InterServed]

Hello,

After testing this for an average 3 months on a test-lab , i finally deployed this on production servers as we never encountered any issues.
Qualys SSL Labs test over one of our production servers (PCI Compliant):
/https://www.ssllabs.com/ssltest/analyze.html?d=interserved.com

 

[dualmonitor]

Great thread! Thanks for the hard work on this. I voted for the Feature Request.

 

[InterServed]

Update:
I've just managed to also get Forward Secrecy with modern browsers. This required a manual rpm build of openssl as rhel/centos/cloudlinux supplied openssl doesn't provide ECDHE ciphers support.

Required: Apache 2.4 , OpenSSL configured with ECDHE support.
Used cipher configuration:

SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA

test results: /https://www.ssllabs.com/ssltest/analyze.html?d=interserved.com

 

[wired420]

I've created a much safer guide for doing this. It won't mess with any system files, so other things compiled against the 0.9.x libraries won't break. Also easily removed. Anyone still looking to do it should check into it. Adding extra repos always makes me nervous.

I did temporarily use your method in testing of server performance on a freshly created cloud instance in creating my method though.

Using TLS 1.2 with cPanel/Apache 2.4 without modifying system files.

 

[InterServed]

Hi,

I had the same idea at start in mind. Tho my personal option was/is to use in-house built rpms. I did extensive tests and there was nothing to break. But your method is also very welcome as other's have more choices. The rpm-way , you wont require to make any row_opts changes to php/apache , just a rebuild.

root@nlsrv1 [~]# rpm -qa|grep openssl
openssl10-devel-1.0.1e-2.interserved.el6.x86_64
openssl10-1.0.1e-2.interserved.el6.x86_64
openssl10-perl-1.0.1e-2.interserved.el6.x86_64
openssl10-static-1.0.1e-2.interserved.el6.x86_64
openssl10-libs-1.0.1e-2.interserved.el6.x86_64

Also note that there are other services than apache that will use openssl. Such as cpanel secure ports. With your method , those services won't have any effect as they will still rely on system openssl (i didn't test it but that's what i think).

Comparison example between your host/method and the one i use:

root@nlsrv1 [~]# openssl s_client -no_tls1 -no_ssl3 -connect rootswitch.com:465
CONNECTED(00000003)
139897327085384:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:714:

root@nlsrv1 [~]# openssl s_client -no_tls1 -no_ssl3 -connect interserved.com:465
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 4qNSjEDMFEcWpxAOnUdBDxQxSOviu5QI, OU = GT61253598, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = nlsrv1.interserved.com
verify return:1
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384

For the moment i only built rpms for el6-x86_64. If you or anyone else want to test them i can provide them.

 

[DamienWebb]

This is really great.

I am deploying OpenSSH 5.7, and upgrade my OpenSSL as well per your quick tutorial. It's really a no-brainer for cPanel to step up and make these changes that everyone critically needs.

Thank you for taking the time and posting this InterServed .

 

[InterServed]

Update: It seems that RHEL 6.5 provides openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html