Author Topic: CWP support for TLSv1.3  (Read 6886 times)

0 Members and 1 Guest are viewing this topic.

CWP support for TLSv1.3
« on: January 25, 2018, 03:23:45 PM »
When is expected to arrive?

Offline
*
Re: CWP support for TLSv1.3
« Reply #1 on: July 22, 2019, 08:19:49 AM »
Hi n8v8r,

They'll have to update openssl to 1.1.1 for that.

I am currently doing it on my own, recompil openssl with 1.1.1e source, then recompil apache, recompil php and now remain nginx recompilation.

Regards.

Louis

Offline
*
Re: CWP support for TLSv1.3
« Reply #2 on: October 23, 2019, 03:16:01 AM »
Hi Louis,

Do you have a set of instructions I can follow to recompile everything?

I'm assuming it would be:

recompile openssl
recompile apache
recompile php (I'm not currently using nginx)

Thanks.

Offline
*
Re: CWP support for TLSv1.3
« Reply #3 on: December 31, 2019, 08:10:34 PM »
Really disappointed on the use of legacy OpenSSL packaged with CWP.  :(

Offline
**
Re: CWP support for TLSv1.3
« Reply #4 on: January 06, 2020, 11:40:00 AM »
When is expected to arrive?

 :) Hi, +1 for me !


« Stay hungry, stay foolish. »

Offline
*
Re: CWP support for TLSv1.3
« Reply #5 on: February 27, 2020, 06:03:57 PM »
Any updates to the TLS v1.3 support?

I just manually enabled TLS v1.2 and disabled 1.0 & 1.1, since they are depreciated already.

Offline
*
Re: CWP support for TLSv1.3
« Reply #6 on: February 27, 2020, 07:02:45 PM »
We join in the request for this function.

Offline
*****
Re: CWP support for TLSv1.3
« Reply #7 on: February 27, 2020, 09:11:53 PM »
probably with centos 8 cwp.
« Last Edit: February 27, 2020, 09:14:09 PM by Sandeep »

Offline
*
Re: CWP support for TLSv1.3
« Reply #8 on: July 22, 2020, 09:46:32 AM »
CWP7 Pro on CentOS 7  is Support TLS v1.3

My Server is running

1. php + php-fpm 7.3.19
2. openssl 1.1.1g
3. apache 2.4.41




Offline
*
Re: CWP support for TLSv1.3
« Reply #9 on: September 10, 2020, 10:20:52 AM »
CWP7 Pro on CentOS 7  is Support TLS v1.3

My Server is running

1. php + php-fpm 7.3.19
2. openssl 1.1.1g
3. apache 2.4.41





Hello brother,
How did you manage to get TLS 1.3 working?
I actually want to disable TLS v1.0 and 1.1 ?

if it's not possible v1.3 then atleast disabling the 1.0 and 1.1 and keep only TLS v1.2 active. I'm afraid to do anything because i have no test server, I'll do it on my running server and I don't want anything bad happen to it. So I'm looking for some help from the experienced men like you.

if you have time will you please share us how to do it.

Note: I'm using Nginx, proxy and apache.

Thanks

Offline
*
Re: CWP support for TLSv1.3
« Reply #10 on: September 10, 2020, 05:09:09 PM »
Can you give step by step info how to update open ssl

Offline
*
Re: CWP support for TLSv1.3
« Reply #11 on: September 11, 2020, 05:11:14 AM »
Hi n8v8r,

They'll have to update openssl to 1.1.1 for that.

I am currently doing it on my own, recompil openssl with 1.1.1e source, then recompil apache, recompil php and now remain nginx recompilation.

Regards.

Louis


CWP on CentOS 8 has OpenSSL 1.1.1c

Offline
*
Re: CWP support for TLSv1.3
« Reply #12 on: September 19, 2020, 09:21:53 AM »
Requirements:
Apache version 2.4.37 or greater.
Nginx version 1.13.0 or greater.
OpenSSL version 1.1.1 or greater.
A valid domain name with correctly configured DNS records.
A valid TLS certificate.

Code: [Select]
# openssl version && nginx -v
Code: [Select]
# yum install gcc gcc-c++ pcre-devel zlib-devel make unzip gd-devel perl-ExtUtils-Embed libxslt-devel openssl-devel perl-Test-Simple
# yum groupinstall 'Development Tools'

Install OpenSSL
Code: [Select]
# cd /usr/src
# wget [https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz](https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz)
# tar xvf openssl-1.1.1f.tar.gz
# mv openssl-1.1.1f openssl
# cd openssl
# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl --libdir=/lib64 shared zlib-dynamic
# make -j4
# make test
# make install

We downloaded the latest version of OpenSSL which is openssl-1.1.1f at the time of writing this post. After that decompress the file, rename the folder name and navigate to the OpenSSL folder. --prefix and --openssldir control the configuration of installed components. The behavior and interactions of --prefix and --openssldir are slightly different between OpenSSL 1.0.2 and below and OpenSSL 1.1.0 and above. Also set --prefix and --openssldir to the same location. shared will force creating shared libraries and Zlib means that compression will be performed by using zlib library. It is worth running the make test to see if there are any unexpected errors. If there are any, you need to fix them before installing the library.

Now rename the existing OpenSSL binary and add a new symlink.
Code: [Select]
# mv /usr/bin/openssl /usr/bin/openssl-backup
# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl


Here, ldd showing dependencies of the binary OpenSSL.
Code: [Select]
# ldd openssl
Your newly installed OpenSSL should show TLSv1.3 like below.
Code: [Select]
# openssl ciphers -v | awk '{print $2}' | sort | uniq
We have completed the OpenSSL installation part. Now we have to recompile Nginx again to built from the newly installed OpenSSL.

Recompile Nginx
Download the installed Nginx version source code from the web. In my case Nginx version 1.16.1 is installed on my production server so I will download the same version and start compiling.

Code: [Select]
cd /usr/src
wget [http://nginx.org/download/nginx-1.16.1.tar.gz](http://nginx.org/download/nginx-1.16.1.tar.gz)
tar xvf nginx-1.16.1.tar.gz
cd nginx-1.16.1

Code: [Select]
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body\ --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx --user=nginx \
--group=nginx \
--with-file-aio  \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-stream_ssl_preread_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-http_auth_request_module \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-openssl=/usr/src/openssl

Code: [Select]
make -j4
make install


Update your Nginx configuration to enable TLS 1.3. Add below lines on your Nginx vhost configuration’s server block.

Code: [Select]
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

Offline
*
Re: CWP support for TLSv1.3
« Reply #13 on: September 19, 2020, 09:24:35 AM »

Offline
*****
Re: CWP support for TLSv1.3
« Reply #14 on: September 19, 2020, 03:35:04 PM »
centos maintain the openssl version and they fix all vulnerabilities/security