Control Web Panel
WebPanel => SSL => Topic started by: n8v8r on January 25, 2018, 03:23:45 PM
-
When is expected to arrive?
-
Hi n8v8r,
They'll have to update openssl to 1.1.1 for that.
I am currently doing it on my own, recompil openssl with 1.1.1e source, then recompil apache, recompil php and now remain nginx recompilation.
Regards.
Louis
-
Hi Louis,
Do you have a set of instructions I can follow to recompile everything?
I'm assuming it would be:
recompile openssl
recompile apache
recompile php (I'm not currently using nginx)
Thanks.
-
Really disappointed on the use of legacy OpenSSL packaged with CWP. :(
-
When is expected to arrive?
:) Hi, +1 for me !
-
Any updates to the TLS v1.3 support?
I just manually enabled TLS v1.2 and disabled 1.0 & 1.1, since they are depreciated already.
-
We join in the request for this function.
-
probably with centos 8 cwp.
-
CWP7 Pro on CentOS 7 is Support TLS v1.3
My Server is running
1. php + php-fpm 7.3.19
2. openssl 1.1.1g
3. apache 2.4.41
(https://i.ibb.co/bBQ9zQy/1595410907047.jpg) (https://ibb.co/nc6Jz6V)
-
CWP7 Pro on CentOS 7 is Support TLS v1.3
My Server is running
1. php + php-fpm 7.3.19
2. openssl 1.1.1g
3. apache 2.4.41
(https://i.ibb.co/bBQ9zQy/1595410907047.jpg) (https://ibb.co/nc6Jz6V)
Hello brother,
How did you manage to get TLS 1.3 working?
I actually want to disable TLS v1.0 and 1.1 ?
if it's not possible v1.3 then atleast disabling the 1.0 and 1.1 and keep only TLS v1.2 active. I'm afraid to do anything because i have no test server, I'll do it on my running server and I don't want anything bad happen to it. So I'm looking for some help from the experienced men like you.
if you have time will you please share us how to do it.
Note: I'm using Nginx, proxy and apache.
Thanks
-
Can you give step by step info how to update open ssl
-
Hi n8v8r,
They'll have to update openssl to 1.1.1 for that.
I am currently doing it on my own, recompil openssl with 1.1.1e source, then recompil apache, recompil php and now remain nginx recompilation.
Regards.
Louis
CWP on CentOS 8 has OpenSSL 1.1.1c
-
Requirements:
Apache version 2.4.37 or greater.
Nginx version 1.13.0 or greater.
OpenSSL version 1.1.1 or greater.
A valid domain name with correctly configured DNS records.
A valid TLS certificate.
# openssl version && nginx -v
# yum install gcc gcc-c++ pcre-devel zlib-devel make unzip gd-devel perl-ExtUtils-Embed libxslt-devel openssl-devel perl-Test-Simple
# yum groupinstall 'Development Tools'
Install OpenSSL
# cd /usr/src
# wget [https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz](https://www.openssl.org/source/old/1.1.1/openssl-1.1.1f.tar.gz)
# tar xvf openssl-1.1.1f.tar.gz
# mv openssl-1.1.1f openssl
# cd openssl
# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl --libdir=/lib64 shared zlib-dynamic
# make -j4
# make test
# make install
We downloaded the latest version of OpenSSL which is openssl-1.1.1f at the time of writing this post. After that decompress the file, rename the folder name and navigate to the OpenSSL folder. --prefix and --openssldir control the configuration of installed components. The behavior and interactions of --prefix and --openssldir are slightly different between OpenSSL 1.0.2 and below and OpenSSL 1.1.0 and above. Also set --prefix and --openssldir to the same location. shared will force creating shared libraries and Zlib means that compression will be performed by using zlib library. It is worth running the make test to see if there are any unexpected errors. If there are any, you need to fix them before installing the library.
Now rename the existing OpenSSL binary and add a new symlink.
# mv /usr/bin/openssl /usr/bin/openssl-backup
# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
Here, ldd showing dependencies of the binary OpenSSL.
# ldd openssl
Your newly installed OpenSSL should show TLSv1.3 like below.
# openssl ciphers -v | awk '{print $2}' | sort | uniq
We have completed the OpenSSL installation part. Now we have to recompile Nginx again to built from the newly installed OpenSSL.
Recompile Nginx
Download the installed Nginx version source code from the web. In my case Nginx version 1.16.1 is installed on my production server so I will download the same version and start compiling.
cd /usr/src
wget [http://nginx.org/download/nginx-1.16.1.tar.gz](http://nginx.org/download/nginx-1.16.1.tar.gz)
tar xvf nginx-1.16.1.tar.gz
cd nginx-1.16.1
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body\ --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx --user=nginx \
--group=nginx \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-stream_ssl_preread_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-http_auth_request_module \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-openssl=/usr/src/openssl
make -j4
make install
Update your Nginx configuration to enable TLS 1.3. Add below lines on your Nginx vhost configuration’s server block.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
-
OpenSSL Vulnerabilities page.
https://www.openssl.org/news/vulnerabilities.html
-
centos maintain the openssl version and they fix all vulnerabilities/security
-
Hello
I tried almost all of the tutorials to not have TLSv1, have TLSv1.2 or v1.3, have A+ mark and solve the errors and warnings I see in the https://www.ssllabs.com test, but had no success at all, I always get same errors, I do not understand what I should do...
Here below are the main mangles sotted by the test
1) Server sent invalid HSTS policy. See below for further information.
2) This server supports TLS 1.0 and TLS 1.1. Grade capped to B. MORE INFO »
3) This site works only in browsers with SNI support.
I am mostly concerned about the point 1 and 2
Why is the server sending an invalid HSTS policy? How can be fixed?
I could not find info about this issue
For the second issue I tried to follow the tutorial in this same post, after launching the make -j4 command it fails to compile nginx 1.18.0
I also tried this tutorial: https://www.mysterydata.com/get-a-score-rating-with-ssllabs-qualys-in-cwp-control-web-panel/
did not work either for me
For what is concerning the SNI I think to have understood that cannot be avoided as ols OS browsers, eg XP and such cannot coop with it, so it is not taken in account in the evaluation
Does anyone have hints about how to fix it?
Thank you
-
DNA your explanation about the compilation of nginx and tls 1.3 does not work, I tested it as you explained and simply nginx breaks
please can someone help with cwp-pro centos 7 nginx and tls1.3?
-
here are the tutorials for tls1.3
https://www.mysterydata.com/how-to-enable-tls-1-3-in-apache-on-cwp-control-web-panel-centos-7-centos-8-el7-el8/
https://www.mysterydata.com/how-to-enable-tls-1-3-in-nginx-cwp-centos-7-centos-8-el7-el8/
-
Hi,
will this be incorporated in future CWP updates, or this has to be done manually?
Thanks
-
here are the tutorials for tls1.3
https://www.mysterydata.com/how-to-enable-tls-1-3-in-apache-on-cwp-control-web-panel-centos-7-centos-8-el7-el8/
https://www.mysterydata.com/how-to-enable-tls-1-3-in-nginx-cwp-centos-7-centos-8-el7-el8/
Is this tutorial still valid or CWP has it inbuilt now?
-
1. Upgrad openssl version
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz
tar xvf openssl-1.1.1q.tar.gz
mv openssl-1.1.1q openssl
cd openssl
./config --prefix=/usr --openssldir=/usr/lib64 shared
make -j4
make test
make install
2. Now let's test it all. The following command
# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3
3. Rebuild Apahe ( Webserver Setting > Apache Re-Build )
CWP7 Pro on CentOS 7 is Support TLS v1.3
My Server is running
1. php + php-fpm 7.3.19
2. openssl 1.1.1g
3. apache 2.4.41
(https://i.ibb.co/bBQ9zQy/1595410907047.jpg) (https://ibb.co/nc6Jz6V)
Hello brother,
How did you manage to get TLS 1.3 working?
I actually want to disable TLS v1.0 and 1.1 ?
if it's not possible v1.3 then atleast disabling the 1.0 and 1.1 and keep only TLS v1.2 active. I'm afraid to do anything because i have no test server, I'll do it on my running server and I don't want anything bad happen to it. So I'm looking for some help from the experienced men like you.
if you have time will you please share us how to do it.
Note: I'm using Nginx, proxy and apache.
Thanks
Rebuild Apahe