Update cPanel to TLS 1.2 without modifying system files [php5 + curlssl + apache2.4.x]

[wired420]

This guide will work through minor revisions of Apache 2.4.x and php5.x tree updates. May need to be updated for future major revisions but should generally work the same.

First we need to compile our own openssl. I do all my building in /home/compile you can do yours wherever though.

wget 'http://www.openssl.org/source/openssl-1.0.1e.tar.gz'
tar -zxf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
./config shared -fPIC
make
make install

This will install openssl to /usr/local/ssl.

Now we need to precompile curlssl

rm -rf /opt/curlssl
wget 'http://curl.haxx.se/download/curl-7.33.0.tar.gz'
tar -zxf curl-7.33.0.tar.gz
cd curl-7.33.0
./configure \
  --prefix=/opt/curlssl \
  --with-ssl=/usr/local/ssl \
  --enable-http \
  --enable-ftp \
  LDFLAGS=-L/usr/local/ssl/lib \
  CPPFLAGS=-I/usr/local/ssl/include
make
make install

That will install curl to /opt/curlssl

Now we need to configure EasyApache to use what we've done.

cd /var/cpanel/easy/apache/rawopts

Here we need to create two files.

touch all_php5
touch Apache2_4

open all_php5 in an editor and place this inside

--enable-ssl
--with-ssl=/usr/local/ssl
--with-curl=/opt/curlssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include

Open Apache2_4 in an editor and place this inside

--with-ssl=/usr/local/ssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include

For perfect forwarding secrecy and high encryption ratings follow this next step to save yourself a step later

1. Login to your WHM
2. Choose Apache Configuration from the left
3. Choose include editor
4. Under Pre VirtualHost Include choose all versions and place the following code in the box.

SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA

Now in WHM goto EasyApache, Select build from current profile or choose any options you wanna add, build your server, restart apache, and boom. TLS 1.2 that'll survive updates, and passes security testing.

Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com

 

[cPanelMichael]

Hello

Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server.

Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum.

Thank you.

 

[wired420]

Yes! cPanel will NOT support this. At all. Nor will CentOS or anyone else. As a matter of fact, it took me a couple of days of building my own CentOS server and compiling all software from scratch before I knew what all I needed to do to do this on a cPanel server. I purposely left out change directory commands and such so that people who weren't adept enough to administrate this probably wouldn't even get cPanel to run the compile they made. If not completed just right it will fail and go back to your last working build.

With that being said. Two things.

1) If you ever want to remove this it's very simple to do.

cd /var/cpanel/easy/apache/rawopts
rm -rf all_php5 Apache2_4
rm -rf /opt/curlssl
rm -rf /usr/local/ssl

Login to WHM and choose apache configuration on the left, choose includes, pre virtualhost includes all versions, remove the lines we added there.

Goto easyapache and rebuild your web server and everything is back to normal.

I'm using it successfully on 3 production servers. The only customers that even noticed the change were the ones that were complaining they were having a fight with the compliance scans for stores so they could display their little our site is safe seal.

2) If anyone has any questions, I get email notices and will respond when able, between clients during the day.

 

[wired420]

I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned.

 

[dualmonitor]

I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned.

This is awesome. Thank you for your work on this! Looking forward to your follow up posts.

 

[thobarn]

This guide will work ...

Many thanks man. You are a life saver; successfully followed in your steps (CENTOS 5.10 i686,WHM 11.38.2 (build 12)).

Wish cpanel got their finger out and implemented this feature request. Too much to ask I guess :/

 

[dezignguy]

A very nice workaround, and I was hopeful, but it did not work for me.
Centos 5.10, 64 bit, WHM 11.40.0 b19

The build process complained of incompatible libraries and other stuff and make exited with errors.

I am hopeful that Cpanel will implement this feature as well, soon. I am especially anxious to implement PFS.

 

[bellwood]

Given their "dedication to security" it only make sense that they'd ship a rpm for openssl to lock things down further

 

[cPanelKenneth]

If you configure OpenSSL to install to /opt/ssl then EasyApache will detect it, and automatically use that version when compiling Apache and PHP.

 

[dualmonitor]

If you configure OpenSSL to install to /opt/ssl then EasyApache will detect it, and automatically use that version when compiling Apache and PHP.

Thank you cPanelKenneth!

wired420, based on what cPanelKenneth said here, are there any changes you'd make to your earlier instructions?

 

[InterServed]

Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html
When CentOS and CloudLinux will provide 6.5 , this workaround might not be needed anymore , tho I'm not yet sure if it supports elliptic curves.

 

[dualmonitor]

Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html
When CentOS and CloudLinux will provide 6.5 , this workaround might not be needed anymore , tho I'm not yet sure if it supports elliptic curves.

That is great news! How long before that reaches us downstream in cPanel?

 

[wired420]

Given their "dedication to security" it only make sense that they'd ship a rpm for openssl to lock things down further

It's not exactly that easy. There are kernel modules and such built against the system SSL. Would require rebuilding the entire distro. This just allows you to install a secondary version and activate it while the rest of the box continues to work on OpenSSL 1.0.0c

 

[itmonitor]

Many thanks for posting. I spent hours trying to find a workable solution for PFS. Yours did the trick. Just as a friendly reminder, your ssllabs test shows your server is vulnerable to heartbleed. A quick update to SSL 1.0.1g will solve this. Thank you again for your post.

 

[Joriz]

Thanks for the post, it works great. The touch all_php5 and touch Apache2_4 is not needed in most cases because EasyApache automatically detects the custom OpenSSL.

Please don't forget to update OpenSSL to version 1.0.1g and run EasyApache to prevent the HeartBleed security bug!

 

[Kurieuo]

Everyone still using this without issue?

I'm late to the discussion, but couldn't cPanel quite easily support this natively?
That is, installing OpenSSL 1.0.1 along side the existing for RHEL5 distros.

Not a replacement, which might break other things, but to run alongsie 0.9.8 like in wired420's solution.

 

[wired420]

After seeing the popular demand for it, I will pull this section out of our custom installers for my company and put it into a self contained bash script.

Will be releasing a constantly updated installer via GIT to keep this in place shortly. Installer will update an old version just by rerunning installer after editing the config with the new version numbers. (Also cause I'm tired of updating it by hand every time there is a new bug).

 

[byrcar]

Wired- would you be able to help me out just a bit?
I've got openssl 1.0.1j installed per your instructions, but WHM still can't use TLS 1.1 or 1.2.

# openssl version
OpenSSL 1.0.1j 15 Oct 2014

When I add the Pre Main Include I get the following syntax error:

Configuration problem detected on line 1 of file
/usr/local/apache/conf/includes/pre_main_global.conf.tmp: SSLProtocol: Illegal protocol
'TLSv1.2' --- /usr/local/apache/conf/includes/pre_main_global.conf.tmp --- 1 ===>
SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3 <=== 2SSLCompression off
3SSLHonorCipherOrder on 4SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
ES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-
GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-
SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-
RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
--- /usr/local/apache/conf/includes/pre_main_global.conf.tmp ---

 

[websnail.net]

Regretably it seems a change has been made to Easyapache which blocks the suggested path here.

https://features.cpanel.net/topic/ability-to-override-curlssl-and-openssl-libraries
https://forums.cpanel.net/threads/easyapache-using-different-openssl-from-server-shell.473431/

Frustrating to find this out AFTER spending time trying to do this manually but can't find anything to indicate this change in policy...

 

[jyt123]

I have a server with Apache 2.2.29 php 5.3.29 WHM 11.30.6 (build 3) CENTOS 5.7 i686 standard

I try the upgrade below but I'm getting error when I recompile apache (see below)
is there a way around this, does this even work with my server?

thanks!

jy

configure: warning: CPPFLAGS=-I/usr/local/ssl/include: invalid host type
configure: warning: LDFLAGS=-L/usr/local/ssl/lib: invalid host type
configure: error: can only configure for one host and one target at a time
!! './configure --disable-fileinfo --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-magic-quotes --enable-mbstring --enable-pdo=shared --enable-sockets --enable-ssl --prefix=/usr/local --with-apxs2=/usr/local/apache/bin/apxs --with-curl=/opt/curlssl/ --with-curl=/opt/curlssl --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-png-dir=/usr --with-sqlite=shared --with-ssl=/usr/local/ssl --with-xpm-dir=/usr --with-zlib --with-zlib-dir=/usr CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib' failed with exit code '256' !!
!! Restoring original working apache !!
!! Executing '/usr/local/cpanel/scripts/initsslhttpd' !!
!! Restarting 'httpd' ... !!
!! 'httpd' restart complete. !!
Building global cache for cpanel...Done
!! Executing '/usr/local/cpanel/scripts/initfpsuexec' !!
!! Executing '/usr/local/cpanel/scripts/initsslhttpd' !!
!! Executing '/usr/local/cpanel/scripts/update_apachectl' !!
!! Executing '/usr/local/cpanel/scripts/enablefileprotect' !!
!! Verbose logfile is at '/usr/local/cpanel/logs/easy/apache/build.1465491860' !!