Update cPanel to TLS 1.2 without modifying system files [php5 + curlssl + apache2.4.x]

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
I am using the following which works well:

Code:
#build custom /opt/openssl
cd /usr/local/src/
wget MYCUSTOMURL/openssl-1.0.1t.tar.gz (can't wget from https://www.openssl.org/source/openssl-1.0.1t.tar.gz due to TLSv1.2 being required)
tar -zxf openssl-1.0.1t.tar.gz
cd openssl-1.0.1t
./config shared -fPIC --prefix=/opt/openssl
make && make install

#build custom /opt/curlssl but put original in place until ready to run easyapache (I like to get it all ready ahead of running easyapache)
cd /usr/local/src/
mv /opt/curlssl.orig /opt/curlssl.orig2
wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate
tar -zxf curl-7.45.0.tar.gz
cd curl-7.45.0
env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp
make
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
make install
mv /opt/curlssl /opt/curlssl.new
mv /opt/curlssl.orig.`date +%F` /opt/curlssl

Code:
#make new /opt/curlssl active for easyapache and run it
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
mv /opt/curlssl.new /opt/curlssl
LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18  /scripts/easyapache --build
 

techguide

Member
Aug 29, 2012
24
3
53
cPanel Access Level
Reseller Owner
env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt
I am trying the above, but on the "env LDFLAGS..." command I receive the error:
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/usr/local/src/curl-7.45.0':
configure: error: C compiler cannot create executables
See `config.log' for more details

I was thinking this was a gcc++ error, but:
Package gcc-c++-4.8.5-4.el7.x86_64 already installed and latest version
Nothing to do

This is on a newly built WHM 56.0.35, CentOS7, Apache 2.4 server

Anyone know how to correct this, thank you!
 
Last edited by a moderator:

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt
I am trying the above, but on the "env LDFLAGS..." command I receive the error:
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/usr/local/src/curl-7.45.0':
configure: error: C compiler cannot create executables
See `config.log' for more details

I was thinking this was a gcc++ error, but:
Package gcc-c++-4.8.5-4.el7.x86_64 already installed and latest version
Nothing to do

This is on a newly built WHM 56.0.35, CentOS7, Apache 2.4 server

Anyone know how to correct this, thank you!

Why are you attempting this since you are on CentOS 7 which already supports openssl-1.0.1?
 
Last edited by a moderator:

techguide

Member
Aug 29, 2012
24
3
53
cPanel Access Level
Reseller Owner
Why are you attempting this since you are on CentOS 7 which already supports openssl-1.0.1?
As I understand it, some of the applications on our server (Magento extensions for credit card processing, etc.) are only working with curl compiled with openssl. The version of curl in CentOS7 is compiled with nss and not openssl which is causing our curl https requests to fail.

]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3

# php -i | grep "SSL Version" SSL Version => OpenSSL/1.0.1e

So I was going to try this method to recompile.

The other possibility I am looking into is the curl (56) reset by peer that is happening (this is a new server we just provisioned and our testing the payment gateways with their demo URL) could be from the apache global configuration cipher suite not being correct. It is set as the cpanel default at the moment.

Thanks for replying!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,211
363

aaronnb

Registered
Jan 2, 2017
1
0
1
Toronto
cPanel Access Level
Root Administrator
I'm a complete newb trying to update my VPS (CENTOS 6.7 x86_64 / WHM 60.0 (build 28)). I've run into an issue during the 2nd step (install curl). Below is the error I'm getting. Any help would be greatly appreciated.

Code:
/usr/bin/ld: warning: libssl.so.1.0.0, needed by ../lib/.libs/libcurl.so, not found (try using -rpath or -rpath-link)
/usr/bin/ld: warning: libcrypto.so.1.0.0, needed by ../lib/.libs/libcurl.so, not found (try using -rpath or -rpath-link)
followed by a list of "../lib/.libs/libcurl.so: undefined reference to" followed by

Code:
collect2: ld returned 1 exit status
make[2]: *** [curl] Error 1
make[2]: Leaving directory `/usr/local/src/curl-7.33.0/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/local/src/curl-7.33.0/src'
make: *** [all-recursive] Error 1
 

Monu

Registered
Jan 9, 2017
1
0
1
gwalior
cPanel Access Level
Website Owner
Hello :)

Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server.

Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum.

Thank you.
can tell me how to upgrade curl in cpanle
 

mjslawson

Registered
Jan 15, 2017
1
1
3
Los Angeles
cPanel Access Level
Root Administrator
I am using the following which works well:

Code:
#build custom /opt/openssl
cd /usr/local/src/
wget MYCUSTOMURL/openssl-1.0.1t.tar.gz (can't wget from https://www.openssl.org/source/openssl-1.0.1t.tar.gz due to TLSv1.2 being required)
tar -zxf openssl-1.0.1t.tar.gz
cd openssl-1.0.1t
./config shared -fPIC --prefix=/opt/openssl
make && make install

#build custom /opt/curlssl but put original in place until ready to run easyapache (I like to get it all ready ahead of running easyapache)
cd /usr/local/src/
mv /opt/curlssl.orig /opt/curlssl.orig2
wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate
tar -zxf curl-7.45.0.tar.gz
cd curl-7.45.0
env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp
make
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
make install
mv /opt/curlssl /opt/curlssl.new
mv /opt/curlssl.orig.`date +%F` /opt/curlssl

Code:
#make new /opt/curlssl active for easyapache and run it
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
mv /opt/curlssl.new /opt/curlssl
LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18  /scripts/easyapache --build
Thank you for this! I was trying to use the Stripe Payment Gateway for WHMCS and had been pulling my hair out. Your solution worked for me perfectly.

Several payment processors, like Stripe and Braintree are now only accepting TLS v1.2 connections, so this is a huge relief!

Stripe: Upgrading to SHA-2 and TLS 1.2
Braintree (PayPal): Updating Your Production Environment to Support TLSv1.2

Cheers!

====
CENTOS 6.8 x86_64 virtuozzo
WHM 60.0 (build 34)
 
  • Like
Reactions: DomineauX