EasyApache Using Different OpenSSL From Server Shell

Avalon

Member
Apr 27, 2015
19
1
3
United States
cPanel Access Level
DataCenter Provider
Twitter
Going through some of the settings I realized that EasyApache, which I recently used to update to Apache 2.4 is using a different version of OpenSSL from what the command line is report.

According to Apache and PHP, the OpenSSL version is: OpenSSL 1.0.1e-fips 11 Feb 2013

Whereas the updated server version is: OpenSSL 1.0.2a-fips 19 Mar 2015

I couldn't find any documentation on this but how can I get EasyApache to utilize the server version? Or, if it's possible (as an Apache rebuild takes quite a bit of time), swap out the older version for the server version?

I went through the effort of having OpenSSL updated so that we could specify the DHParameters key but since Apache is using the older OpenSSL it kicks back by saying the parameter is invalid and falls back on the configuration.

The server runs CloudLinux and I have already ensured that the cages where synced.
 

Avalon

Member
Apr 27, 2015
19
1
3
United States
cPanel Access Level
DataCenter Provider
Twitter
I took a look at the workaround but EasyApache still elects to use OpenSSL 1.0.1e as opposed to the system version.

I even tried just soft linking to /opt/ssl since according to that thread EasyApache 3 would use what was installed in /opt/ssl but that turned out to not be the case either.

After apply the proper cagefsctl updates the cages still report 1.0.1e-fips and not 1.0.2a-fips.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
I took a look at the workaround but EasyApache still elects to use OpenSSL 1.0.1e as opposed to the system version.
You may want to post to that thread to see if the original author can assist you with the custom workaround.

Thank you.
 

Avalon

Member
Apr 27, 2015
19
1
3
United States
cPanel Access Level
DataCenter Provider
Twitter
You may want to post to that thread to see if the original author can assist you with the custom workaround.

Thank you.
I had actually spoken to cPanel support. They said that it's just simply no longer possible to overrule EasyApache when it comes to the matter of OpenSSL and CurlSSL unfortunately. Silly when you think about it but nevertheless it's the same answer I got from three different sources after reaching out.

It accepts pretty much every other override still however. Interestingly, there's a post from April but they were facing issues with WHM afterwards. Perhaps distribution specific? It really doesn't matter anymore as we can execute what we needed the new libraries for from the shell or by sending it to another machine in the cluster.

The best we were able to get it to do was override the headers:

Code:
OpenSSL support    enabled
OpenSSL Library Version    OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version    OpenSSL 1.0.2a-fips 19 Mar 2015
 
Last edited: