Ability to Override CurlSSL and OpenSSL Libraries

Avalon Thorne shared this idea 2 years ago
Open Discussion

After spending nearly a week in contact with SoftLayer, CloudLinux, and cPanel Support for what would amount to wasted effort it was suggested that I propose this feature request: allow the ability to override where EasyApache pulls CurlSSL and OpenSSL Libraries. Put all the red warnings you all like about how cPanel won't support such configurations and that it is for advanced users only but when one needs these libraries for very specific purposes there is currently no way to override EasyApache. All previously suggested ways on the cPanel forums don't work and quite frankly: I shouldn't have to declare proverbial war on EasyApache to try and get the system to use our custom built packages.

Fortunately, the needs for which we required OpenSSL1.0.2a-fips were met by the fact the Shell and everything other than cPanel based services are using our libraries but cPanel uses the originally "yum installed" libraries.

I don't ever recall it being this difficult many years ago (or rather now, impossible) but the reality is there are use-cases and experienced administrators who would like to use their own version of the SSL libraries and fully understand that it is their responsibility to maintain such a setup.

Perhaps a feature for EasyApache 4? I get hand-holding for those who really have no business messing with those settings but there are others like myself who do need the ability to override EasyApache's library selection which at the moment only uses the yum packages.

So now, at least in my case, I have a side-by-side install of the two libraries; a very unusual case but no doubt would be less unusual if we could actually use our own built libraries.

Comments (8)

photo
1

Compile your own ssl with ./config shared -fPIC --prefix=/opt/ssl

Then create the file: /var/cpanel/easy/apache/rawopts/Apache2_4

And add the line

--with-ssl=/opt/ssl

Pretty easy to do. It's in the documentation.

photo
1

Actually, at the time this was posted, cPanel Support even confirmed that there was no known method to overriding the libraries EasyApache 3 used for the CurlSSL and OpenSSL libraries and in particular on CloudLinux based systems.

Perhaps that's changed since then but naturally this was posted almost an entire year ago.

photo
1

I was able to override OpenSSL to get HTTP/2 up, but trying to override CurlSSL breaks it, at least in my attempts. Mothballed it, for now.

photo
photo
1

The following has been working properly for me:

cd /usr/local/src/

wget http://www.openssl.org/source/openssl-1.0.1r.tar.gz

tar -zxf openssl-1.0.1r.tar.gz

cd openssl-1.0.1r

./config shared -fPIC --prefix=/opt/openssl

make && make install

cd /usr/local/src/

mv /opt/curlssl.orig /opt/curlssl.orig2

wget http://curl.haxx.se/download/curl-7.45.0.tar.gz --no-check-certificate

tar -zxf curl-7.45.0.tar.gz

cd curl-7.45.0

env LDFLAGS=-R/opt/openssl/lib CPPFLAGS=-I/opt/openssl/include ./configure --prefix=/opt/curlssl --with-ssl=/opt/openssl --enable-http --enable-ftp

make

mv /opt/curlssl /opt/curlssl.orig.`date +%F`

make install

LDFLAGS="-L/opt/openssl/lib" CPPFLAGS="-I/opt/openssl/include" nice -n 18 /scripts/easyapache --build

photo
1

Centos 6's curl version isn't compatible with sni servers however Centos 7's is. It would be very nice if there was a supported way to make centos 6 compatible with SNI.

This is currently required for Owncloud and the latest update of Paypal's library.

photo
1

Honestly. If you're still worrying about SNI, all you're worrying about is operating systems that are no longer updated or maintained. I personally ignore those people. I don't need customers with a ton of infections blaming my stuff for not working when it's 100% their end.

photo
1

Curl has a bug in Redhat 5 and Redhat 6 that prevents it from being able to use SSL with SNI.

It's maintained in the sense that they fix security issues but not this bug.

Are all of your cPanel servers running centos 7 ? If not you would have to manually replace curl, which isn't supported by cPanel and is the reason of this feature request.

The paypal library actually requires officially a newer version of curl than the one in CentOS 7 but Redhat has patched it beacuse it works.

photo
1

To further extend upon this, attempting to mess with the libraries for CurlSSL and OpenSSL in the way described earlier actually breaks cPanel services on CloudLinux 6 systems. Aside from the obvious downsides of not being able to override EasyApache's choice for these libraries, some of us have federally regulated mandates to meet.

Of course, these federal regulations are also pushing us more and more towards Windows Server but the fact that you can override what should be a trivial task on CL6 systems with cPanel with newer and customized versions of the libraries causes more issues than simple SNI.

photo