Update cPanel to TLS 1.2 without modifying system files [php5 + curlssl + apache2.4.x]

wired420

Active Member
Nov 17, 2005
35
2
158
This guide will work through minor revisions of Apache 2.4.x and php5.x tree updates. May need to be updated for future major revisions but should generally work the same.

First we need to compile our own openssl. I do all my building in /home/compile you can do yours wherever though.

Code:
wget 'http://www.openssl.org/source/openssl-1.0.1e.tar.gz'
tar -zxf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
./config shared -fPIC
make
make install
This will install openssl to /usr/local/ssl.

Now we need to precompile curlssl

Code:
rm -rf /opt/curlssl
wget 'http://curl.haxx.se/download/curl-7.33.0.tar.gz'
tar -zxf curl-7.33.0.tar.gz
cd curl-7.33.0
./configure \
  --prefix=/opt/curlssl \
  --with-ssl=/usr/local/ssl \
  --enable-http \
  --enable-ftp \
  LDFLAGS=-L/usr/local/ssl/lib \
  CPPFLAGS=-I/usr/local/ssl/include
make
make install
That will install curl to /opt/curlssl

Now we need to configure EasyApache to use what we've done.

Code:
cd /var/cpanel/easy/apache/rawopts
Here we need to create two files.

Code:
touch all_php5
touch Apache2_4
open all_php5 in an editor and place this inside

Code:
--enable-ssl
--with-ssl=/usr/local/ssl
--with-curl=/opt/curlssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include
Open Apache2_4 in an editor and place this inside

Code:
--with-ssl=/usr/local/ssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include
For perfect forwarding secrecy and high encryption ratings follow this next step to save yourself a step later

  1. Login to your WHM
  2. Choose Apache Configuration from the left
  3. Choose include editor
  4. Under Pre VirtualHost Include choose all versions and place the following code in the box.

Code:
SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
Now in WHM goto EasyApache, Select build from current profile or choose any options you wanna add, build your server, restart apache, and boom. TLS 1.2 that'll survive updates, and passes security testing.

Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server.

Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum.

Thank you.
 

wired420

Active Member
Nov 17, 2005
35
2
158
Yes! cPanel will NOT support this. At all. Nor will CentOS or anyone else. As a matter of fact, it took me a couple of days of building my own CentOS server and compiling all software from scratch before I knew what all I needed to do to do this on a cPanel server. I purposely left out change directory commands and such so that people who weren't adept enough to administrate this probably wouldn't even get cPanel to run the compile they made. If not completed just right it will fail and go back to your last working build.

With that being said. Two things.

1) If you ever want to remove this it's very simple to do.

Code:
cd /var/cpanel/easy/apache/rawopts
rm -rf all_php5 Apache2_4
rm -rf /opt/curlssl
rm -rf /usr/local/ssl
Login to WHM and choose apache configuration on the left, choose includes, pre virtualhost includes all versions, remove the lines we added there.

Goto easyapache and rebuild your web server and everything is back to normal.

I'm using it successfully on 3 production servers. The only customers that even noticed the change were the ones that were complaining they were having a fight with the compliance scans for stores so they could display their little our site is safe seal.

2) If anyone has any questions, I get email notices and will respond when able, between clients during the day.
 

wired420

Active Member
Nov 17, 2005
35
2
158
I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned.
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned.
This is awesome. Thank you for your work on this! Looking forward to your follow up posts.
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
A very nice workaround, and I was hopeful, but it did not work for me.
Centos 5.10, 64 bit, WHM 11.40.0 b19

The build process complained of incompatible libraries and other stuff and make exited with errors.

I am hopeful that Cpanel will implement this feature as well, soon. I am especially anxious to implement PFS.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
76
308
cPanel Access Level
Root Administrator
If you configure OpenSSL to install to /opt/ssl then EasyApache will detect it, and automatically use that version when compiling Apache and PHP.
 
  • Like
Reactions: jeya vinoth

InterServed

Well-Known Member
Jul 10, 2007
268
14
68
cPanel Access Level
DataCenter Provider
Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html
When CentOS and CloudLinux will provide 6.5 , this workaround might not be needed anymore , tho I'm not yet sure if it supports elliptic curves.
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html
When CentOS and CloudLinux will provide 6.5 , this workaround might not be needed anymore , tho I'm not yet sure if it supports elliptic curves.
That is great news! How long before that reaches us downstream in cPanel?
 

wired420

Active Member
Nov 17, 2005
35
2
158
Given their "dedication to security" it only make sense that they'd ship a rpm for openssl to lock things down further
It's not exactly that easy. There are kernel modules and such built against the system SSL. Would require rebuilding the entire distro. This just allows you to install a secondary version and activate it while the rest of the box continues to work on OpenSSL 1.0.0c
 

itmonitor

Well-Known Member
Apr 10, 2014
83
15
83
cPanel Access Level
Root Administrator
Many thanks for posting. I spent hours trying to find a workable solution for PFS. Yours did the trick. :) Just as a friendly reminder, your ssllabs test shows your server is vulnerable to heartbleed. A quick update to SSL 1.0.1g will solve this. Thank you again for your post.
 

Kurieuo

Well-Known Member
Dec 13, 2002
106
0
166
Australia
Everyone still using this without issue?

I'm late to the discussion, but couldn't cPanel quite easily support this natively?
That is, installing OpenSSL 1.0.1 along side the existing for RHEL5 distros.

Not a replacement, which might break other things, but to run alongsie 0.9.8 like in wired420's solution.
 

wired420

Active Member
Nov 17, 2005
35
2
158
After seeing the popular demand for it, I will pull this section out of our custom installers for my company and put it into a self contained bash script.

Will be releasing a constantly updated installer via GIT to keep this in place shortly. Installer will update an old version just by rerunning installer after editing the config with the new version numbers. (Also cause I'm tired of updating it by hand every time there is a new bug).
 

byrcar

Member
May 6, 2014
7
0
1
cPanel Access Level
Root Administrator
Wired- would you be able to help me out just a bit?
I've got openssl 1.0.1j installed per your instructions, but WHM still can't use TLS 1.1 or 1.2.
Code:
# openssl version
OpenSSL 1.0.1j 15 Oct 2014
When I add the Pre Main Include I get the following syntax error:
Code:
Configuration problem detected on line 1 of file
/usr/local/apache/conf/includes/pre_main_global.conf.tmp: SSLProtocol: Illegal protocol
'TLSv1.2' --- /usr/local/apache/conf/includes/pre_main_global.conf.tmp --- 1 ===>
SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3 <=== 2SSLCompression off
3SSLHonorCipherOrder on 4SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
ES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-
GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-
SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-
RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
--- /usr/local/apache/conf/includes/pre_main_global.conf.tmp ---
 
Last edited:

jyt123

Member
Nov 29, 2015
9
3
3
Canada
cPanel Access Level
Root Administrator
I have a server with Apache 2.2.29 php 5.3.29 WHM 11.30.6 (build 3) CENTOS 5.7 i686 standard

I try the upgrade below but I'm getting error when I recompile apache (see below)
is there a way around this, does this even work with my server?

thanks!

jy

Code:
configure: warning: CPPFLAGS=-I/usr/local/ssl/include: invalid host type
configure: warning: LDFLAGS=-L/usr/local/ssl/lib: invalid host type
configure: error: can only configure for one host and one target at a time
!! './configure --disable-fileinfo --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-magic-quotes --enable-mbstring --enable-pdo=shared --enable-sockets --enable-ssl --prefix=/usr/local --with-apxs2=/usr/local/apache/bin/apxs --with-curl=/opt/curlssl/ --with-curl=/opt/curlssl --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-png-dir=/usr --with-sqlite=shared --with-ssl=/usr/local/ssl --with-xpm-dir=/usr --with-zlib --with-zlib-dir=/usr CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib' failed with exit code '256' !!
!! Restoring original working apache !!
!! Executing '/usr/local/cpanel/scripts/initsslhttpd' !!
!! Restarting 'httpd' ... !!
!! 'httpd' restart complete. !!
Building global cache for cpanel...Done
!! Executing '/usr/local/cpanel/scripts/initfpsuexec' !!
!! Executing '/usr/local/cpanel/scripts/initsslhttpd' !!
!! Executing '/usr/local/cpanel/scripts/update_apachectl' !!
!! Executing '/usr/local/cpanel/scripts/enablefileprotect' !!
!! Verbose logfile is at '/usr/local/cpanel/logs/easy/apache/build.1465491860' !!
 
Last edited by a moderator: