Results 1 to 7 of 7

Thread: CentOS 5 and a parallel install of OpenSSL 1.0.2a (TLSv1.1 and TLSv1.2)

  1. #1
    Join Date
    Jun 2015
    Posts
    4

    Post CentOS 5 and a parallel install of OpenSSL 1.0.2a (TLSv1.1 and TLSv1.2)

    We have some customers that are still using CentOS 5 but require PCI compliance. PCI-DSS 3.1 that was released in April says that TLSv1 is no longer good enough and to be fully compliant folks have to be able to use TLSv1.1 and/or TLSv1.2

    CentOS 5's built in OpenSSL can only use up to TLSv1 so we were left with a dilemma, one customer in particular has 200 users on one dedicated server that is running CentOS 5 and a must maintain PCI compliance on it. Because moving 200 Users isn't exactly feasable at this moment we're looking at a stop gap option of simply dropping in OpenSSL 1.0.2a and compiling against it.

    Has anyone tried this? This is the method I'm using currently with custombuild 2 on a test machine without any customers on it:

    Pull the openSSL code: https://www.openssl.org/source/ (change the link in the wget line obviously with the source version) and compile it.
    Code:
    mkdir ~/src/
    cd ~/src/
    wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
    tar -zxvf openssl-*.tar.gz
    cd openssl-*
    ./config -fpic shared && make && make install
    echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
    ldconfig
    This installs openSSL in /usr/local/ssl and will not overwrite the openSSL version already on disk so everything else compiled against the built in version of OpenSSL is still good to go.

    Now pull and compile curl.

    We're disabling LDAP in curl, essentially this will hamper PHP LDAP calls and any LDAP calls within curl so if you require LDAP then you are going to have to compile OpenLDAP and it's requirements (DB4 and all of it's requirements) as well to use the new version of openSSL that we just compiled and is outside the scope of what I'm doing.

    Grab the download link from there: http://curl.haxx.se/download.html then compile it...
    Code:
    cd /root/src 
    wget http://curl.haxx.se/download/curl-7.42.1.tar.gz
    tar -xzvf curl-*.tar.gz
    cd curl-*
    ./configure --with-ssl=/usr/local/ssl --disable-ldap && make && make install
    Edit the custombuild configure script for apache to use the new SSL by editing /usr/local/directadmin/custombuild/configure/ap2/configure.apache and changing
    Code:
    "--with-ssl=/usr" \         
    to
    "--with-ssl=/usr/local/ssl" \
    Then the same thing with php: Change /usr/local/directadmin/custombuild/configure/ap2/configure.php___ (php55 is for version 5.5 so use the appropriate version)
    Code:
          --with-openssl\
    to
          --with-openssl=/usr/local/ssl \
    Then disable curl within custombuild so we don't overwrite what's there and compile apache and php using custombuild:

    Code:
    cd /usr/local/directadmin/custombuild/
    ./build set curl no
    ./build apache
    ./build php
    And with that you should now be able to use TLS1.2 and PHP curl calls will be able to use TLSv1.2 (for sending credit card info to payment processors gateways). If for some reason it doesn't work, remove the changes made in the configure files, set curl to yes and rebuild curl, apache and php.

    ==================================

    I plan on testing with a customer tomorrow, but figured I'd toss it out there incase anyone else has tried the same method. This is meant to just buy us some time while we move folks over while still maintaining PCI compliance.

  2. #2
    Join Date
    Jun 2015
    Posts
    4
    We had an issue with ssh2.so not matching so I had to compile that from scratch as well against our new version of openssl.

    I'll provide instructions later tonight when I get some downtime but suffice it to say you have to compile libssl against openssl, then compile php ssh2 against libssl you just compiled then copy the so file over your ssh2.so module.

    DirectAdmin still wants to use TLSv1, may be my fault as I didn't build all when upgrading from custombuild 1.2 -> 2, so will need to work on that as well.

  3. #3
    Join Date
    Mar 2016
    Posts
    1

    Did this work

    Quote Originally Posted by CharlesTQ View Post
    We had an issue with ssh2.so not matching so I had to compile that from scratch as well against our new version of openssl.

    I'll provide instructions later tonight when I get some downtime but suffice it to say you have to compile libssl against openssl, then compile php ssh2 against libssl you just compiled then copy the so file over your ssh2.so module.

    DirectAdmin still wants to use TLSv1, may be my fault as I didn't build all when upgrading from custombuild 1.2 -> 2, so will need to work on that as well.
    I just wanted to know if you successfully got this done because I am having the same issue with current version of openssl -

  4. #4
    Join Date
    Sep 2006
    Posts
    40
    Hi There,

    I would also like to know if this worked as upgrading our OS before Paypal lock out everything less then TLS 1.2 in June is not an option.

  5. #5
    Join Date
    Feb 2008
    Posts
    23
    I managed to get this working so I thought I'd post incase anyone else needs this.

    I did things slightly differently to the original poster, I configured custombuild to build curl, apache and php using the custom openssl install, so no need to maintain a separate curl install as they did.

    I encountered no errors but did see a few warnings about potential conflicts. This should be treated as a temporary measure while you plan a full server upgrade.
    Running CentOS 5 and custombuild 2
    I hope someone finds this useful.

    Download and install SSL in it's own dir:
    Code:
    mkdir ~/src/
    cd ~/src/
    wget https://www.openssl.org/source/openssl-1.0.1t.tar.gz
    tar -zxvf openssl-1.0.1t.tar.gz
    cd openssl-1.0.1t
    ./config -fpic shared && make && make install
    echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
    ldconfig
    Edit: I forgot to mention, I couldn't download the openssl file, I assume this was because they have turned off tls1.0 support. So I download it to my local machine and then scp it to the server.

    Configure the DirectAdmin curl build to use our new openssl:
    Code:
    cd /usr/local/directadmin/custombuild
    mkdir custom/curl
    cp configure/curl/configure.curl custom/curl/
    Edit your custom/curl/configure.curl and change:
    Code:
    ./configure
    to
    ./configure --with-ssl=/usr/local/ssl --disable-ldap
    Configure the DirectAdmin Apache build to use our new openssl:
    Code:
    mkdir custom/ap2
    cp configure/ap2/configure.apache custom/ap2/
    Edit your custom/ap2/configure.apache and change:
    Code:
          --with-ssl\
    to
          --with-ssl=/usr/local/ssl \
    Configure the DirectAdmin PHP build to use our new openssl (replace the file name with the version you are using):
    Code:
    cp configure/ap2/configure.php56 custom/ap2/
    Now edit your custom/ap2/configure.php56 and change:
    Code:
          --with-openssl\
    to
          --with-openssl=/usr/local/ssl \
    # Now build curl, php and apache:
    Code:
    ./build curl
    ./build apache
    ./build php
    DONE!!

    I did this specifically to address PayPal's upgrade this month. Once complete you can test if everything works OK using:
    Code:
    php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch));'
    Last edited by cbolt; 06-09-2016 at 05:59 PM.

  6. #6
    Join Date
    May 2017
    Posts
    1

    Works on centos 5

    Works on centos 5.

    At the end of the installation a message appears:
    Code:
    *** The make has failed, would you like to try again?" (Y, n):
    Fix the problem was explained at: http://forum.directadmin.com/showthread.php?t=54756

  7. #7
    Join Date
    Aug 2017
    Posts
    1
    Quote Originally Posted by baggs1981 View Post
    Hi There,

    I would also like to know if this worked as upgrading our OS before Paypal lock out everything less then TLS 1.2 in June is not an option.
    i was having this issue but it's working fine for me now so you should be fine to upgrade.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •