The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EasyApache Using Different OpenSSL From Server Shell

Discussion in 'EasyApache' started by Avalon, May 22, 2015.

  1. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Going through some of the settings I realized that EasyApache, which I recently used to update to Apache 2.4 is using a different version of OpenSSL from what the command line is report.

    According to Apache and PHP, the OpenSSL version is: OpenSSL 1.0.1e-fips 11 Feb 2013

    Whereas the updated server version is: OpenSSL 1.0.2a-fips 19 Mar 2015

    I couldn't find any documentation on this but how can I get EasyApache to utilize the server version? Or, if it's possible (as an Apache rebuild takes quite a bit of time), swap out the older version for the server version?

    I went through the effort of having OpenSSL updated so that we could specify the DHParameters key but since Apache is using the older OpenSSL it kicks back by saying the parameter is invalid and falls back on the configuration.

    The server runs CloudLinux and I have already ensured that the cages where synced.
     
  2. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I took a look at the workaround but EasyApache still elects to use OpenSSL 1.0.1e as opposed to the system version.

    I even tried just soft linking to /opt/ssl since according to that thread EasyApache 3 would use what was installed in /opt/ssl but that turned out to not be the case either.

    After apply the proper cagefsctl updates the cages still report 1.0.1e-fips and not 1.0.2a-fips.
     
    #3 Avalon, May 22, 2015
    Last edited: May 22, 2015
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,761
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to post to that thread to see if the original author can assist you with the custom workaround.

    Thank you.
     
  4. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I had actually spoken to cPanel support. They said that it's just simply no longer possible to overrule EasyApache when it comes to the matter of OpenSSL and CurlSSL unfortunately. Silly when you think about it but nevertheless it's the same answer I got from three different sources after reaching out.

    It accepts pretty much every other override still however. Interestingly, there's a post from April but they were facing issues with WHM afterwards. Perhaps distribution specific? It really doesn't matter anymore as we can execute what we needed the new libraries for from the shell or by sending it to another machine in the cluster.

    The best we were able to get it to do was override the headers:

    Code:
    OpenSSL support    enabled
    OpenSSL Library Version    OpenSSL 1.0.1e-fips 11 Feb 2013
    OpenSSL Header Version    OpenSSL 1.0.2a-fips 19 Mar 2015
     
    #5 Avalon, May 26, 2015
    Last edited: May 26, 2015
Loading...

Share This Page