The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Update cPanel to TLS 1.2 without modifying system files [php5 + curlssl + apache2.4.x]

Discussion in 'Workarounds and Optimization' started by wired420, Nov 5, 2013.

  1. wired420

    wired420 Active Member

    Joined:
    Nov 17, 2005
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    This guide will work through minor revisions of Apache 2.4.x and php5.x tree updates. May need to be updated for future major revisions but should generally work the same.

    First we need to compile our own openssl. I do all my building in /home/compile you can do yours wherever though.

    Code:
    wget 'http://www.openssl.org/source/openssl-1.0.1e.tar.gz'
    tar -zxf openssl-1.0.1e.tar.gz
    cd openssl-1.0.1e
    ./config shared -fPIC
    make
    make install
    This will install openssl to /usr/local/ssl.

    Now we need to precompile curlssl

    Code:
    rm -rf /opt/curlssl
    wget 'http://curl.haxx.se/download/curl-7.33.0.tar.gz'
    tar -zxf curl-7.33.0.tar.gz
    cd curl-7.33.0
    ./configure \
      --prefix=/opt/curlssl \
      --with-ssl=/usr/local/ssl \
      --enable-http \
      --enable-ftp \
      LDFLAGS=-L/usr/local/ssl/lib \
      CPPFLAGS=-I/usr/local/ssl/include
    make
    make install
    
    That will install curl to /opt/curlssl

    Now we need to configure EasyApache to use what we've done.

    Code:
    cd /var/cpanel/easy/apache/rawopts
    
    Here we need to create two files.

    Code:
    touch all_php5
    touch Apache2_4
    
    open all_php5 in an editor and place this inside

    Code:
    --enable-ssl
    --with-ssl=/usr/local/ssl
    --with-curl=/opt/curlssl
    LDFLAGS=-L/usr/local/ssl/lib
    CPPFLAGS=-I/usr/local/ssl/include
    
    Open Apache2_4 in an editor and place this inside

    Code:
    --with-ssl=/usr/local/ssl
    LDFLAGS=-L/usr/local/ssl/lib
    CPPFLAGS=-I/usr/local/ssl/include
    
    For perfect forwarding secrecy and high encryption ratings follow this next step to save yourself a step later

    1. Login to your WHM
    2. Choose Apache Configuration from the left
    3. Choose include editor
    4. Under Pre VirtualHost Include choose all versions and place the following code in the box.

    Code:
    SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3
    SSLCompression off
    SSLHonorCipherOrder on
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
    
    Now in WHM goto EasyApache, Select build from current profile or choose any options you wanna add, build your server, restart apache, and boom. TLS 1.2 that'll survive updates, and passes security testing.

    Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com
     
    #1 wired420, Nov 5, 2013
    Last edited: Nov 5, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server.

    Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum.

    Thank you.
     
  3. wired420

    wired420 Active Member

    Joined:
    Nov 17, 2005
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    Yes! cPanel will NOT support this. At all. Nor will CentOS or anyone else. As a matter of fact, it took me a couple of days of building my own CentOS server and compiling all software from scratch before I knew what all I needed to do to do this on a cPanel server. I purposely left out change directory commands and such so that people who weren't adept enough to administrate this probably wouldn't even get cPanel to run the compile they made. If not completed just right it will fail and go back to your last working build.

    With that being said. Two things.

    1) If you ever want to remove this it's very simple to do.

    Code:
    cd /var/cpanel/easy/apache/rawopts
    rm -rf all_php5 Apache2_4
    rm -rf /opt/curlssl
    rm -rf /usr/local/ssl
    
    Login to WHM and choose apache configuration on the left, choose includes, pre virtualhost includes all versions, remove the lines we added there.

    Goto easyapache and rebuild your web server and everything is back to normal.

    I'm using it successfully on 3 production servers. The only customers that even noticed the change were the ones that were complaining they were having a fight with the compliance scans for stores so they could display their little our site is safe seal.

    2) If anyone has any questions, I get email notices and will respond when able, between clients during the day.
     
  4. wired420

    wired420 Active Member

    Joined:
    Nov 17, 2005
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    I recently broke my hand but I have this in testing with OCSP Stapling, Next Protocol Negotiation, and the Spdy 3 protocol (Working on 3.1), in a fcgid environment. This is a pre-requisite for that, but will be including those in another guide with a link back to this one in the next 24 hours most likely. Stay tuned.
     
  5. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    This is awesome. Thank you for your work on this! Looking forward to your follow up posts.
     
  6. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    Many thanks man. You are a life saver; successfully followed in your steps (CENTOS 5.10 i686,WHM 11.38.2 (build 12)).

    Wish cpanel got their finger out and implemented this feature request. Too much to ask I guess :/
     
  7. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    A very nice workaround, and I was hopeful, but it did not work for me.
    Centos 5.10, 64 bit, WHM 11.40.0 b19

    The build process complained of incompatible libraries and other stuff and make exited with errors.

    I am hopeful that Cpanel will implement this feature as well, soon. I am especially anxious to implement PFS.
     
  8. bellwood

    bellwood Member
    PartnerNOC

    Joined:
    Sep 25, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    Given their "dedication to security" it only make sense that they'd ship a rpm for openssl to lock things down further
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you configure OpenSSL to install to /opt/ssl then EasyApache will detect it, and automatically use that version when compiling Apache and PHP.
     
  10. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thank you cPanelKenneth!

    wired420, based on what cPanelKenneth said here, are there any changes you'd make to your earlier instructions?
     
  11. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    255
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Note that RHEL 6.5 will provide openssl 1.0.1e: /http://rhn.redhat.com/errata/RHBA-2013-1751.html
    When CentOS and CloudLinux will provide 6.5 , this workaround might not be needed anymore , tho I'm not yet sure if it supports elliptic curves.
     
  12. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    That is great news! How long before that reaches us downstream in cPanel?
     
  13. wired420

    wired420 Active Member

    Joined:
    Nov 17, 2005
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    It's not exactly that easy. There are kernel modules and such built against the system SSL. Would require rebuilding the entire distro. This just allows you to install a secondary version and activate it while the rest of the box continues to work on OpenSSL 1.0.0c
     
  14. itmonitor

    itmonitor Active Member

    Joined:
    Apr 10, 2014
    Messages:
    25
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Many thanks for posting. I spent hours trying to find a workable solution for PFS. Yours did the trick. :) Just as a friendly reminder, your ssllabs test shows your server is vulnerable to heartbleed. A quick update to SSL 1.0.1g will solve this. Thank you again for your post.
     
  15. Joriz

    Joriz Active Member

    Joined:
    Aug 11, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    the Netherlands
    cPanel Access Level:
    DataCenter Provider
    Thanks for the post, it works great. The touch all_php5 and touch Apache2_4 is not needed in most cases because EasyApache automatically detects the custom OpenSSL.

    Please don't forget to update OpenSSL to version 1.0.1g and run EasyApache to prevent the HeartBleed security bug!
     
  16. Kurieuo

    Kurieuo Well-Known Member

    Joined:
    Dec 13, 2002
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    Everyone still using this without issue?

    I'm late to the discussion, but couldn't cPanel quite easily support this natively?
    That is, installing OpenSSL 1.0.1 along side the existing for RHEL5 distros.

    Not a replacement, which might break other things, but to run alongsie 0.9.8 like in wired420's solution.
     
  17. wired420

    wired420 Active Member

    Joined:
    Nov 17, 2005
    Messages:
    34
    Likes Received:
    1
    Trophy Points:
    8
    After seeing the popular demand for it, I will pull this section out of our custom installers for my company and put it into a self contained bash script.

    Will be releasing a constantly updated installer via GIT to keep this in place shortly. Installer will update an old version just by rerunning installer after editing the config with the new version numbers. (Also cause I'm tired of updating it by hand every time there is a new bug).
     
  18. byrcar

    byrcar Member

    Joined:
    May 6, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Wired- would you be able to help me out just a bit?
    I've got openssl 1.0.1j installed per your instructions, but WHM still can't use TLS 1.1 or 1.2.
    Code:
    # openssl version
    OpenSSL 1.0.1j 15 Oct 2014
    
    When I add the Pre Main Include I get the following syntax error:
    Code:
    Configuration problem detected on line 1 of file
    /usr/local/apache/conf/includes/pre_main_global.conf.tmp: SSLProtocol: Illegal protocol
    'TLSv1.2' --- /usr/local/apache/conf/includes/pre_main_global.conf.tmp --- 1 ===>
    SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3 <=== 2SSLCompression off
    3SSLHonorCipherOrder on 4SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
    ES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-
    GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-
    SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-
    RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
    --- /usr/local/apache/conf/includes/pre_main_global.conf.tmp ---
     
    #18 byrcar, Apr 10, 2015
    Last edited: Apr 10, 2015
  19. websnail.net

    websnail.net Active Member

    Joined:
    Mar 24, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
  20. jyt123

    jyt123 Registered

    Joined:
    Nov 29, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I have a server with Apache 2.2.29 php 5.3.29 WHM 11.30.6 (build 3) CENTOS 5.7 i686 standard

    I try the upgrade below but I'm getting error when I recompile apache (see below)
    is there a way around this, does this even work with my server?

    thanks!

    jy

    Code:
    configure: warning: CPPFLAGS=-I/usr/local/ssl/include: invalid host type
    configure: warning: LDFLAGS=-L/usr/local/ssl/lib: invalid host type
    configure: error: can only configure for one host and one target at a time
    !! './configure --disable-fileinfo --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-magic-quotes --enable-mbstring --enable-pdo=shared --enable-sockets --enable-ssl --prefix=/usr/local --with-apxs2=/usr/local/apache/bin/apxs --with-curl=/opt/curlssl/ --with-curl=/opt/curlssl --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-png-dir=/usr --with-sqlite=shared --with-ssl=/usr/local/ssl --with-xpm-dir=/usr --with-zlib --with-zlib-dir=/usr CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib' failed with exit code '256' !!
    !! Restoring original working apache !!
    !! Executing '/usr/local/cpanel/scripts/initsslhttpd' !!
    !! Restarting 'httpd' ... !!
    !! 'httpd' restart complete. !!
    Building global cache for cpanel...Done
    !! Executing '/usr/local/cpanel/scripts/initfpsuexec' !!
    !! Executing '/usr/local/cpanel/scripts/initsslhttpd' !!
    !! Executing '/usr/local/cpanel/scripts/update_apachectl' !!
    !! Executing '/usr/local/cpanel/scripts/enablefileprotect' !!
    !! Verbose logfile is at '/usr/local/cpanel/logs/easy/apache/build.1465491860' !!
    
     
    #20 jyt123, Jun 9, 2016
    Last edited by a moderator: Jun 9, 2016
Loading...

Share This Page