cPanel and OpenSSL 1.0.1c (or higher)

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
CentOS/RHEL versions 5.x and 6.x are stuck on OpenSSL versions 0.9.8e and 1.0.0, respectively. That means cPanels servers on these operating systems can't support TLS 1.1 or TLS 1.2. For those of us stuck at TLS 1.0, the only course of action to prevent the BEAST attack has been to force users to use RC4. However, RC4 is now officially broken (https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what). Sooo... what now?

Is there any chance cPanel can start shipping their own OpenSSL, or having EasyApache build against a more recent version? On a non-cPanel CentOS 6.4 machine, I've successfully updated OpenSSL to 1.0.1c using this:
https://www.axivo.com/community/threads/upgrade-to-openssl-1-0-1-in-centos.180
HOWEVER! This is not valid for a cPanel server (based in the info that site's forums).

There are a lot of other great reasons to upgrade to OpenSSL >=1.0.1.c... such as SNI support, OCSP stapling, elliptic curve cryptography...

I'll make this a feature request if need-be... I just wanted to find out if it was technically feasible for cPanel to ship their own OpenSSL (or other library) to allow the vast majority of their users (assumption) access to TLS 1.1 and 1.2.
 
Last edited:

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Another way to get latest 1.0.1e: /http://tech.fawk.eu/233/

The IUS repo do provide their own yum-replace technique which might make things easier. Note that i have not tested this YET , but i do plan to install a test-server/trial cpanel and in order to test and validate that openssl upgrade will work smoothly.
 

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
Let me know how that goes once you've tested it :)

I'd still like to know if this is something cPanel could do. It would be a much "cleaner" way to upgrade a huge portion of the web to TLS 1.1+.
 

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Hi,

I have just tested to install a fresh copy of cPanel on a test machine and will attempt the openssl upgrade. Should return with results in average 1-2 hours.
 

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Hello again,

As promised , i have returned with results of the tests carried so far:

1) Fresh cPanel installed (11.36.0.18) on CentOS 6.4
2) Install required repository/tools (links are for CentOS 6 , you will need to edit them if you have a different OS)
Code:
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-11.ius.centos6.noarch.rpm
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/epel-release-6-5.noarch.rpm
wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/yum-plugin-replace-0.2.5-1.ius.centos6.noarch.rpm
rpm -Uvh ius-release-1.0-10.ius.centos6.noarch.rpm epel-release-6-5.noarch.rpm yum-plugin-replace-0.2.5-1.ius.centos6.noarch.rpm
3) Replace/upgrade openssl (you will be prompted with a warning about some dependencies but you can press y to continue
Code:
yum replace openssl --replace-with=openssl10
4) Add openssl* to /etc/yum.conf exclude line. It should look like this (if you don't add openssl* to yum exclude then easyapache will not work:
Code:
exclude=apache* bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail* [COLOR="#FF0000"]openssl*[/COLOR]
5) Rebuild Apache/php with EasyApache from WHM.
6) Everything should be done and working. For your convenience i also created a test account to provide public access to a phpinfo page on the system that i performed the openssl upgrade:
Code:
http://openssl.interserved.com/phpinfo.php]/http://openssl.interserved.com/phpinfo.php
As you can see on the phpinfo page , the openssl version is 1.0.1e

Results from command line:
Code:
[[email protected] ~]# openssl version
OpenSSL 1.0.1e 11 Feb 2013

[[email protected] ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e 11 Feb 2013

[[email protected] ~]# rpm -qa|grep openssl
openssl10-libs-1.0.1e-1.ius.el6.x86_64
openssl10-devel-1.0.1e-1.ius.el6.x86_64
openssl10-1.0.1e-1.ius.el6.x86_64

[[email protected] ~]# openssl ciphers
DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5
P.S. I'm not responsible for any damage this operations may cause if you chose to fallow them. This test was only performed once and i cannot make any guarantees. I will continue to monitor it's health and conduct more tests.

Update1:
[SSL Labs test]: https://www.ssllabs.com/ssltest/analyze.html?d=openssl.interserved.com
Apache Cipher used:
Code:
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:!AES:!AES256-SHA256:!AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!DES-CBC3-SHA
 
Last edited:
  • Like
Reactions: SageBrian

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
That is fantastic! Awesome! Thank you for following up with your results! Now that you've proven it's technically possible... it would be reeeaaallly nice if cPanel would just update OpenSSL for us... say, for WHM 11.40? :D I think I'll add a feature request... I'll post the link here later for visibility.
 

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
You're more than welcome. Hopefully cPanel will also look into this , carry more tests and maybe offer us this feature.
I haven't experience any problems so far with the openssl upgrade. I will keep doing tests and keep the testing machine alive until the cPanel trial license will expire or maybe cPanel will offer a developer license :)
 

alphawolf50

Well-Known Member
Apr 28, 2011
186
2
68
cPanel Access Level
Root Administrator
Apparently I'm out of votes and i cannot vote it yet. Thanks for creating the feature request !
Yeah, I had to "rethink" a vote :)

You're very welcome. Creating the feature request was easy... you did the hard work of actually testing it! I'm considering setting up cPanel on CentOS 5 in a VM and testing that OS too. Couldn't hurt to give them more data :)
 

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Did more tests:
- Tested upgrade from Apache 2.2 to 2.4 (works without problems)
- Tested upgrade to the latest not-released cPanel 11.37 (works without problems)
 

Robert Simpson

Registered
Jun 8, 2012
4
0
51
cPanel Access Level
Root Administrator
Hi InterServed, looks like your RPM links are 404 :(

You don't have up to date URLs do you?


Cheers,
Robert

UPDATE: Turns out it was only the first link and the file had been updated to a new version and that was reflected in the URL, which is now /http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-11.ius.centos6.noarch.rpm
 
Last edited:

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Hi,

Sorry for not tracking the URL , i just tried to edit my post but it's not allowed anymore. Maybe a cPanel mod could edit the bad url to the fixed one you provided. Hope my little guide will help you accomplish the openssl upgrade.

- - - Updated - - -

Forgot to mention that i use the following cipher now:
Code:
AES256-GCM-SHA384:RC4+SHA:DHE-RSA-CAMELLIA256-SHA
 

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Hello,

After testing this for an average 3 months on a test-lab , i finally deployed this on production servers as we never encountered any issues.
Qualys SSL Labs test over one of our production servers (PCI Compliant):
/https://www.ssllabs.com/ssltest/analyze.html?d=interserved.com
 
Last edited:

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Update:
I've just managed to also get Forward Secrecy with modern browsers. This required a manual rpm build of openssl as rhel/centos/cloudlinux supplied openssl doesn't provide ECDHE ciphers support.

Required: Apache 2.4 , OpenSSL configured with ECDHE support.
Used cipher configuration:
Code:
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
test results: /https://www.ssllabs.com/ssltest/analyze.html?d=interserved.com
 
Last edited:

wired420

Active Member
Nov 17, 2005
35
2
158
I've created a much safer guide for doing this. It won't mess with any system files, so other things compiled against the 0.9.x libraries won't break. Also easily removed. Anyone still looking to do it should check into it. Adding extra repos always makes me nervous.

I did temporarily use your method in testing of server performance on a freshly created cloud instance in creating my method though.

Using TLS 1.2 with cPanel/Apache 2.4 without modifying system files.
 
Last edited:

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
Hi,

I had the same idea at start in mind. Tho my personal option was/is to use in-house built rpms. I did extensive tests and there was nothing to break. But your method is also very welcome as other's have more choices. The rpm-way , you wont require to make any row_opts changes to php/apache , just a rebuild.

Code:
[email protected] [~]# rpm -qa|grep openssl
openssl10-devel-1.0.1e-2.interserved.el6.x86_64
openssl10-1.0.1e-2.interserved.el6.x86_64
openssl10-perl-1.0.1e-2.interserved.el6.x86_64
openssl10-static-1.0.1e-2.interserved.el6.x86_64
openssl10-libs-1.0.1e-2.interserved.el6.x86_64
Also note that there are other services than apache that will use openssl. Such as cpanel secure ports. With your method , those services won't have any effect as they will still rely on system openssl (i didn't test it but that's what i think).

Comparison example between your host/method and the one i use:
Code:
[email protected] [~]# openssl s_client -no_tls1 -no_ssl3 -connect rootswitch.com:465
CONNECTED(00000003)
139897327085384:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:714:
Code:
[email protected] [~]# openssl s_client -no_tls1 -no_ssl3 -connect interserved.com:465
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = 4qNSjEDMFEcWpxAOnUdBDxQxSOviu5QI, OU = GT61253598, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = nlsrv1.interserved.com
verify return:1
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
For the moment i only built rpms for el6-x86_64. If you or anyone else want to test them i can provide them.
 
Last edited:

DamienWebb

Member
Nov 4, 2013
9
0
1
cPanel Access Level
Root Administrator
This is really great.

I am deploying OpenSSH 5.7, and upgrade my OpenSSL as well per your quick tutorial. It's really a no-brainer for cPanel to step up and make these changes that everyone critically needs.

Thank you for taking the time and posting this InterServed .