CentOS 5 is becoming quite long in the tooth especially with it’s VERY old OpenSSL libraries which only support TLS 1.0. However it’s still a couple of years from becoming EOL. In the mean time, we can upgrade OpenSSL to the latest source and rebuild apache and PHP against it quite easily. This should also survive Cpanel and EasyApache updates.
Build the latest OpenSSL – but first check openssl.org for the latest download link. This link may be old by the time you read this:
wget 'http://www.openssl.org/source/openssl-1.0.2a.tar.gz' tar -zxf openssl-1.0.2a.tar.gz cd openssl-1.0.2a ./config shared -fPIC make make install
Then we download and build the latest Curl and place it in /opt/curlssl. Again, please check for latest curl version first because the link in this article will likely be old.
rm -rf /opt/curlssl wget 'http://curl.haxx.se/download/curl-7.41.0.tar.gz' tar -zxf curl-7.41.0.tar.gz cd curl-7.38.0 ./configure --prefix=/opt/curlssl --with-ssl=/usr/local/ssl --enable-http --enable-ftp LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include make make install
Now we tell EasyApache to use our new OpenSSL and Curl libraries when rebuilding Apache and PHP:
cd /var/cpanel/easy/apache/rawopts touch all_php5 touch Apache2_4
Place the following in all_php5:
--enable-ssl --with-ssl=/usr/local/ssl --with-curl=/opt/curlssl LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include
Place the following in Apache2_4:
--with-ssl=/usr/local/ssl LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include
The final step is to rebuilt Apache using EasyApache. You can build your last profile or customize it as you wish.
As of the time of writing, the following cipher suites settings (assuming you’ve disabled SSLv2 and SSLv3 already) in Apache Configuration is the simplest and yield an A at SSLlabs with broad browser support on Apache 2.2:
Bear in mind we’re still using OpenSSL 0.9.8 for all other services, and to achieve an A+, Apache 2.4 and some other settings may be required. If you require all services on TLS 1.2, upgrading your entire OS may be the only real option.