Update cPanel to TLS 1.2 without modifying system files [php5 + curlssl + apache2.4.x]

[DomineauX]

I am using the following which works well:

#build custom /opt/openssl
cd /usr/local/src/
wget MYCUSTOMURL/openssl-1.0.1t.tar.gz (can't wget from https://www.openssl.org/source/openssl-1.0.1t.tar.gz due to TLSv1.2 being required)
tar -zxf openssl-1.0.1t.tar.gz
cd openssl-1.0.1t
./config shared -fPIC --prefix=/opt/openssl
make && make install

#build custom /opt/curlssl but put original in place until ready to run easyapache (I like to get it all ready ahead of running easyapache)
cd /usr/local/src/
mv /opt/curlssl.orig /opt/curlssl.orig2
wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate
tar -zxf curl-7.45.0.tar.gz
cd curl-7.45.0
env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp
make
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
make install
mv /opt/curlssl /opt/curlssl.new
mv /opt/curlssl.orig.`date +%F` /opt/curlssl

#make new /opt/curlssl active for easyapache and run it
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
mv /opt/curlssl.new /opt/curlssl
LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18  /scripts/easyapache --build

 

[Hazem]

Hi,
I did the above but Still Have issue, how make SSL library that support TLS 1.1 and 1.2 is installed and supported by cURL.

 

[cPanelMichael]

I did the above but Still Have issue

Could you provide more details about the specific issue or error message you are facing?

Thank you.

 

[techguide]

env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt

I am trying the above, but on the "env LDFLAGS..." command I receive the error:
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/usr/local/src/curl-7.45.0':
configure: error: C compiler cannot create executables
See `config.log' for more details

I was thinking this was a gcc++ error, but:
Package gcc-c++-4.8.5-4.el7.x86_64 already installed and latest version
Nothing to do

This is on a newly built WHM 56.0.35, CentOS7, Apache 2.4 server

Anyone know how to correct this, thank you!

 

[DomineauX]

env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt

I am trying the above, but on the "env LDFLAGS..." command I receive the error:
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/usr/local/src/curl-7.45.0':
configure: error: C compiler cannot create executables
See `config.log' for more details

I was thinking this was a gcc++ error, but:
Package gcc-c++-4.8.5-4.el7.x86_64 already installed and latest version
Nothing to do

This is on a newly built WHM 56.0.35, CentOS7, Apache 2.4 server

Anyone know how to correct this, thank you!

Why are you attempting this since you are on CentOS 7 which already supports openssl-1.0.1?

 

[techguide]

Why are you attempting this since you are on CentOS 7 which already supports openssl-1.0.1?

As I understand it, some of the applications on our server (Magento extensions for credit card processing, etc.) are only working with curl compiled with openssl. The version of curl in CentOS7 is compiled with nss and not openssl which is causing our curl https requests to fail.

]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.19.1 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3

# php -i | grep "SSL Version" SSL Version => OpenSSL/1.0.1e

So I was going to try this method to recompile.

The other possibility I am looking into is the curl (56) reset by peer that is happening (this is a new server we just provisioned and our testing the payment gateways with their demo URL) could be from the apache global configuration cipher suite not being correct. It is set as the cpanel default at the moment.

Thanks for replying!

 

[cPanelMichael]

As I understand it, some of the applications on our server (Magento extensions for credit card processing, etc.) are only working with curl compiled with openssl. The version of curl in CentOS7 is compiled with nss and not openssl which is causing our curl https requests to fail.

Check to see if the solution on the following thread would help in this circumstance:

curl_exec error 60 SSL certificate problem: unable to get local issuer certificate

Thank you.

 

[aaronnb]

I'm a complete newb trying to update my VPS (CENTOS 6.7 x86_64 / WHM 60.0 (build 28)). I've run into an issue during the 2nd step (install curl). Below is the error I'm getting. Any help would be greatly appreciated.

/usr/bin/ld: warning: libssl.so.1.0.0, needed by ../lib/.libs/libcurl.so, not found (try using -rpath or -rpath-link)
/usr/bin/ld: warning: libcrypto.so.1.0.0, needed by ../lib/.libs/libcurl.so, not found (try using -rpath or -rpath-link)

followed by a list of "../lib/.libs/libcurl.so: undefined reference to" followed by

collect2: ld returned 1 exit status
make[2]: *** [curl] Error 1
make[2]: Leaving directory `/usr/local/src/curl-7.33.0/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/local/src/curl-7.33.0/src'
make: *** [all-recursive] Error 1

 

[Monu]

Hello

Thank you for sharing this workaround. Please note that user-submitted workarounds are not tested or supported by cPanel. We encourage everyone to review all aspects of workarounds before implementing them on a production server.

Note: I also added a redirect to this thread from the "Security" forum, as this thread may be of interest to users browsing that forum.

Thank you.

can tell me how to upgrade curl in cpanle

 

[mjslawson]

I am using the following which works well:

#build custom /opt/openssl
cd /usr/local/src/
wget MYCUSTOMURL/openssl-1.0.1t.tar.gz (can't wget from https://www.openssl.org/source/openssl-1.0.1t.tar.gz due to TLSv1.2 being required)
tar -zxf openssl-1.0.1t.tar.gz
cd openssl-1.0.1t
./config shared -fPIC --prefix=/opt/openssl
make && make install

#build custom /opt/curlssl but put original in place until ready to run easyapache (I like to get it all ready ahead of running easyapache)
cd /usr/local/src/
mv /opt/curlssl.orig /opt/curlssl.orig2
wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate
tar -zxf curl-7.45.0.tar.gz
cd curl-7.45.0
env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp
make
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
make install
mv /opt/curlssl /opt/curlssl.new
mv /opt/curlssl.orig.`date +%F` /opt/curlssl

#make new /opt/curlssl active for easyapache and run it
mv /opt/curlssl /opt/curlssl.orig.`date +%F`
mv /opt/curlssl.new /opt/curlssl
LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18  /scripts/easyapache --build

Thank you for this! I was trying to use the Stripe Payment Gateway for WHMCS and had been pulling my hair out. Your solution worked for me perfectly.

Several payment processors, like Stripe and Braintree are now only accepting TLS v1.2 connections, so this is a huge relief!

Stripe: Upgrading to SHA-2 and TLS 1.2
Braintree (PayPal): Updating Your Production Environment to Support TLSv1.2

Cheers!

====
CENTOS 6.8 x86_64 virtuozzo
WHM 60.0 (build 34)