The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel and OpenSSL 1.0.1c (or higher)

Discussion in 'Security' started by alphawolf50, Mar 20, 2013.

  1. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    CentOS/RHEL versions 5.x and 6.x are stuck on OpenSSL versions 0.9.8e and 1.0.0, respectively. That means cPanels servers on these operating systems can't support TLS 1.1 or TLS 1.2. For those of us stuck at TLS 1.0, the only course of action to prevent the BEAST attack has been to force users to use RC4. However, RC4 is now officially broken (https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what). Sooo... what now?

    Is there any chance cPanel can start shipping their own OpenSSL, or having EasyApache build against a more recent version? On a non-cPanel CentOS 6.4 machine, I've successfully updated OpenSSL to 1.0.1c using this:
    https://www.axivo.com/community/threads/upgrade-to-openssl-1-0-1-in-centos.180
    HOWEVER! This is not valid for a cPanel server (based in the info that site's forums).

    There are a lot of other great reasons to upgrade to OpenSSL >=1.0.1.c... such as SNI support, OCSP stapling, elliptic curve cryptography...

    I'll make this a feature request if need-be... I just wanted to find out if it was technically feasible for cPanel to ship their own OpenSSL (or other library) to allow the vast majority of their users (assumption) access to TLS 1.1 and 1.2.
     
    #1 alphawolf50, Mar 20, 2013
    Last edited: Mar 20, 2013
  2. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Another way to get latest 1.0.1e: /http://tech.fawk.eu/233/

    The IUS repo do provide their own yum-replace technique which might make things easier. Note that i have not tested this YET , but i do plan to install a test-server/trial cpanel and in order to test and validate that openssl upgrade will work smoothly.
     
  3. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Let me know how that goes once you've tested it :)

    I'd still like to know if this is something cPanel could do. It would be a much "cleaner" way to upgrade a huge portion of the web to TLS 1.1+.
     
  4. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hi,

    I have just tested to install a fresh copy of cPanel on a test machine and will attempt the openssl upgrade. Should return with results in average 1-2 hours.
     
  5. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hello again,

    As promised , i have returned with results of the tests carried so far:

    1) Fresh cPanel installed (11.36.0.18) on CentOS 6.4
    2) Install required repository/tools (links are for CentOS 6 , you will need to edit them if you have a different OS)
    Code:
    wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-11.ius.centos6.noarch.rpm
    wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/epel-release-6-5.noarch.rpm
    wget http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/yum-plugin-replace-0.2.5-1.ius.centos6.noarch.rpm
    rpm -Uvh ius-release-1.0-10.ius.centos6.noarch.rpm epel-release-6-5.noarch.rpm yum-plugin-replace-0.2.5-1.ius.centos6.noarch.rpm
    3) Replace/upgrade openssl (you will be prompted with a warning about some dependencies but you can press y to continue
    Code:
    yum replace openssl --replace-with=openssl10
    4) Add openssl* to /etc/yum.conf exclude line. It should look like this (if you don't add openssl* to yum exclude then easyapache will not work:
    Code:
    exclude=apache* bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail* [COLOR="#FF0000"]openssl*[/COLOR]
    5) Rebuild Apache/php with EasyApache from WHM.
    6) Everything should be done and working. For your convenience i also created a test account to provide public access to a phpinfo page on the system that i performed the openssl upgrade:
    Code:
    http://openssl.interserved.com/phpinfo.php]/http://openssl.interserved.com/phpinfo.php
    As you can see on the phpinfo page , the openssl version is 1.0.1e

    Results from command line:
    Code:
    [root@testlab ~]# openssl version
    OpenSSL 1.0.1e 11 Feb 2013
    
    [root@testlab ~]# ssh -V
    OpenSSH_5.3p1, OpenSSL 1.0.1e 11 Feb 2013
    
    [root@testlab ~]# rpm -qa|grep openssl
    openssl10-libs-1.0.1e-1.ius.el6.x86_64
    openssl10-devel-1.0.1e-1.ius.el6.x86_64
    openssl10-1.0.1e-1.ius.el6.x86_64
    
    [root@testlab ~]# openssl ciphers
    DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5
    P.S. I'm not responsible for any damage this operations may cause if you chose to fallow them. This test was only performed once and i cannot make any guarantees. I will continue to monitor it's health and conduct more tests.

    Update1:
    [SSL Labs test]: https://www.ssllabs.com/ssltest/analyze.html?d=openssl.interserved.com
    Apache Cipher used:
    Code:
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-RSA-AES256-SHA384:!AES:!AES256-SHA256:!AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM:!DES-CBC3-SHA
     
    #5 InterServed, Mar 27, 2013
    Last edited: Mar 27, 2013
    SageBrian likes this.
  6. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    That is fantastic! Awesome! Thank you for following up with your results! Now that you've proven it's technically possible... it would be reeeaaallly nice if cPanel would just update OpenSSL for us... say, for WHM 11.40? :D I think I'll add a feature request... I'll post the link here later for visibility.
     
  7. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    You're more than welcome. Hopefully cPanel will also look into this , carry more tests and maybe offer us this feature.
    I haven't experience any problems so far with the openssl upgrade. I will keep doing tests and keep the testing machine alive until the cPanel trial license will expire or maybe cPanel will offer a developer license :)
     
  8. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  9. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Apparently I'm out of votes and i cannot vote it yet. Thanks for creating the feature request !
     
  10. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Yeah, I had to "rethink" a vote :)

    You're very welcome. Creating the feature request was easy... you did the hard work of actually testing it! I'm considering setting up cPanel on CentOS 5 in a VM and testing that OS too. Couldn't hurt to give them more data :)
     
  11. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Did more tests:
    - Tested upgrade from Apache 2.2 to 2.4 (works without problems)
    - Tested upgrade to the latest not-released cPanel 11.37 (works without problems)
     
  12. Robert Simpson

    Robert Simpson Registered

    Joined:
    Jun 8, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi InterServed, looks like your RPM links are 404 :(

    You don't have up to date URLs do you?


    Cheers,
    Robert

    UPDATE: Turns out it was only the first link and the file had been updated to a new version and that was reflected in the URL, which is now /http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-11.ius.centos6.noarch.rpm
     
    #12 Robert Simpson, Jul 3, 2013
    Last edited: Jul 3, 2013
  13. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hi,

    Sorry for not tracking the URL , i just tried to edit my post but it's not allowed anymore. Maybe a cPanel mod could edit the bad url to the fixed one you provided. Hope my little guide will help you accomplish the openssl upgrade.

    - - - Updated - - -

    Forgot to mention that i use the following cipher now:
    Code:
    AES256-GCM-SHA384:RC4+SHA:DHE-RSA-CAMELLIA256-SHA
     
  14. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hello,

    After testing this for an average 3 months on a test-lab , i finally deployed this on production servers as we never encountered any issues.
    Qualys SSL Labs test over one of our production servers (PCI Compliant):
    /https://www.ssllabs.com/ssltest/analyze.html?d=interserved.com
     
    #14 InterServed, Jul 11, 2013
    Last edited: Jul 11, 2013
  15. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Great thread! Thanks for the hard work on this. I voted for the Feature Request.
     
  16. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Update:
    I've just managed to also get Forward Secrecy with modern browsers. This required a manual rpm build of openssl as rhel/centos/cloudlinux supplied openssl doesn't provide ECDHE ciphers support.

    Required: Apache 2.4 , OpenSSL configured with ECDHE support.
    Used cipher configuration:
    Code:
    SSLProtocol all -SSLv2
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
    test results: /https://www.ssllabs.com/ssltest/analyze.html?d=interserved.com
     
    #16 InterServed, Nov 4, 2013
    Last edited: Nov 5, 2013
  17. wired420

    wired420 Active Member

    Joined:
    Nov 17, 2005
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    I've created a much safer guide for doing this. It won't mess with any system files, so other things compiled against the 0.9.x libraries won't break. Also easily removed. Anyone still looking to do it should check into it. Adding extra repos always makes me nervous.

    I did temporarily use your method in testing of server performance on a freshly created cloud instance in creating my method though.

    Using TLS 1.2 with cPanel/Apache 2.4 without modifying system files.
     
    #17 wired420, Nov 7, 2013
    Last edited: Nov 7, 2013
  18. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Hi,

    I had the same idea at start in mind. Tho my personal option was/is to use in-house built rpms. I did extensive tests and there was nothing to break. But your method is also very welcome as other's have more choices. The rpm-way , you wont require to make any row_opts changes to php/apache , just a rebuild.

    Code:
    root@nlsrv1 [~]# rpm -qa|grep openssl
    openssl10-devel-1.0.1e-2.interserved.el6.x86_64
    openssl10-1.0.1e-2.interserved.el6.x86_64
    openssl10-perl-1.0.1e-2.interserved.el6.x86_64
    openssl10-static-1.0.1e-2.interserved.el6.x86_64
    openssl10-libs-1.0.1e-2.interserved.el6.x86_64
    
    Also note that there are other services than apache that will use openssl. Such as cpanel secure ports. With your method , those services won't have any effect as they will still rely on system openssl (i didn't test it but that's what i think).

    Comparison example between your host/method and the one i use:
    Code:
    root@nlsrv1 [~]# openssl s_client -no_tls1 -no_ssl3 -connect rootswitch.com:465
    CONNECTED(00000003)
    139897327085384:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:714:
    Code:
    root@nlsrv1 [~]# openssl s_client -no_tls1 -no_ssl3 -connect interserved.com:465
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
    verify return:1
    depth=0 serialNumber = 4qNSjEDMFEcWpxAOnUdBDxQxSOviu5QI, OU = GT61253598, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = nlsrv1.interserved.com
    verify return:1
    New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : AES256-GCM-SHA384
    
    For the moment i only built rpms for el6-x86_64. If you or anyone else want to test them i can provide them.
     
    #18 InterServed, Nov 10, 2013
    Last edited: Nov 10, 2013
  19. DamienWebb

    DamienWebb Member

    Joined:
    Nov 4, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is really great.

    I am deploying OpenSSH 5.7, and upgrade my OpenSSL as well per your quick tutorial. It's really a no-brainer for cPanel to step up and make these changes that everyone critically needs.

    Thank you for taking the time and posting this InterServed .
     
  20. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Update: It seems that RHEL 6.5 provides openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html
     
Loading...

Share This Page