CentOS 5 and a parallel install of OpenSSL 1.0.2a (TLSv1.1 and TLSv1.2)

[CharlesTQ]

We have some customers that are still using CentOS 5 but require PCI compliance. PCI-DSS 3.1 that was released in April says that TLSv1 is no longer good enough and to be fully compliant folks have to be able to use TLSv1.1 and/or TLSv1.2

CentOS 5's built in OpenSSL can only use up to TLSv1 so we were left with a dilemma, one customer in particular has 200 users on one dedicated server that is running CentOS 5 and a must maintain PCI compliance on it. Because moving 200 Users isn't exactly feasable at this moment we're looking at a stop gap option of simply dropping in OpenSSL 1.0.2a and compiling against it.

Has anyone tried this? This is the method I'm using currently with custombuild 2 on a test machine without any customers on it:

Pull the openSSL code: https://www.openssl.org/source/ (change the link in the wget line obviously with the source version) and compile it.

mkdir ~/src/
cd ~/src/
wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
tar -zxvf openssl-*.tar.gz
cd openssl-*
./config -fpic shared && make && make install
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig

This installs openSSL in /usr/local/ssl and will not overwrite the openSSL version already on disk so everything else compiled against the built in version of OpenSSL is still good to go.

Now pull and compile curl.

We're disabling LDAP in curl, essentially this will hamper PHP LDAP calls and any LDAP calls within curl so if you require LDAP then you are going to have to compile OpenLDAP and it's requirements (DB4 and all of it's requirements) as well to use the new version of openSSL that we just compiled and is outside the scope of what I'm doing.

Grab the download link from there: http://curl.haxx.se/download.html then compile it...

cd /root/src 
wget http://curl.haxx.se/download/curl-7.42.1.tar.gz
tar -xzvf curl-*.tar.gz
cd curl-*
./configure --with-ssl=/usr/local/ssl --disable-ldap && make && make install

Edit the custombuild configure script for apache to use the new SSL by editing /usr/local/directadmin/custombuild/configure/ap2/configure.apache and changing

"--with-ssl=/usr" \         
to
"--with-ssl=/usr/local/ssl" \

Then the same thing with php: Change /usr/local/directadmin/custombuild/configure/ap2/configure.php___ (php55 is for version 5.5 so use the appropriate version)

      --with-openssl\
to
      --with-openssl=/usr/local/ssl \

Then disable curl within custombuild so we don't overwrite what's there and compile apache and php using custombuild:

cd /usr/local/directadmin/custombuild/
./build set curl no
./build apache
./build php

And with that you should now be able to use TLS1.2 and PHP curl calls will be able to use TLSv1.2 (for sending credit card info to payment processors gateways). If for some reason it doesn't work, remove the changes made in the configure files, set curl to yes and rebuild curl, apache and php.

==================================

I plan on testing with a customer tomorrow, but figured I'd toss it out there incase anyone else has tried the same method. This is meant to just buy us some time while we move folks over while still maintaining PCI compliance.

 

[CharlesTQ]

We had an issue with ssh2.so not matching so I had to compile that from scratch as well against our new version of openssl.

I'll provide instructions later tonight when I get some downtime but suffice it to say you have to compile libssl against openssl, then compile php ssh2 against libssl you just compiled then copy the so file over your ssh2.so module.

DirectAdmin still wants to use TLSv1, may be my fault as I didn't build all when upgrading from custombuild 1.2 -> 2, so will need to work on that as well.

 

[orlando]

Did this work

We had an issue with ssh2.so not matching so I had to compile that from scratch as well against our new version of openssl.

I'll provide instructions later tonight when I get some downtime but suffice it to say you have to compile libssl against openssl, then compile php ssh2 against libssl you just compiled then copy the so file over your ssh2.so module.

DirectAdmin still wants to use TLSv1, may be my fault as I didn't build all when upgrading from custombuild 1.2 -> 2, so will need to work on that as well.

I just wanted to know if you successfully got this done because I am having the same issue with current version of openssl -

 

[baggs1981]

Hi There,

I would also like to know if this worked as upgrading our OS before Paypal lock out everything less then TLS 1.2 in June is not an option.

 

[cbolt]

I managed to get this working so I thought I'd post incase anyone else needs this.

I did things slightly differently to the original poster, I configured custombuild to build curl, apache and php using the custom openssl install, so no need to maintain a separate curl install as they did.

I encountered no errors but did see a few warnings about potential conflicts. This should be treated as a temporary measure while you plan a full server upgrade.
Running CentOS 5 and custombuild 2
I hope someone finds this useful.

Download and install SSL in it's own dir:

mkdir ~/src/
cd ~/src/
wget [url]https://www.openssl.org/source/openssl-1.0.1t.tar.gz[/url]
tar -zxvf openssl-1.0.1t.tar.gz
cd openssl-1.0.1t
./config -fpic shared && make && make install
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig

Edit: I forgot to mention, I couldn't download the openssl file, I assume this was because they have turned off tls1.0 support. So I download it to my local machine and then scp it to the server.

Configure the DirectAdmin curl build to use our new openssl:

cd /usr/local/directadmin/custombuild
mkdir custom/curl
cp configure/curl/configure.curl custom/curl/

Edit your custom/curl/configure.curl and change:

./configure
to
./configure --with-ssl=/usr/local/ssl --disable-ldap

Configure the DirectAdmin Apache build to use our new openssl:

mkdir custom/ap2
cp configure/ap2/configure.apache custom/ap2/

Edit your custom/ap2/configure.apache and change:

      --with-ssl\
to
      --with-ssl=/usr/local/ssl \

Configure the DirectAdmin PHP build to use our new openssl (replace the file name with the version you are using):

cp configure/ap2/configure.php56 custom/ap2/

Now edit your custom/ap2/configure.php56 and change:

      --with-openssl\
to
      --with-openssl=/usr/local/ssl \

# Now build curl, php and apache:

./build curl
./build apache
./build php

DONE!!

I did this specifically to address PayPal's upgrade this month. Once complete you can test if everything works OK using:

php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch));'

 

[Gigante]

Works on centos 5

Works on centos 5.

At the end of the installation a message appears:

*** The make has failed, would you like to try again?" (Y, n):

Fix the problem was explained at: http://forum.directadmin.com/showthread.php?t=54756

 

[Dirks]

Hi There,

I would also like to know if this worked as upgrading our OS before Paypal lock out everything less then TLS 1.2 in June is not an option.

i was having this issue but it's working fine for me now so you should be fine to upgrade.