CentOS (6.3) TLS1.2 Support with cURL and OpenSSL

Issues related to applications and software problems
Post Reply
Jukkis
Posts: 3
Joined: 2018/07/03 16:20:21

CentOS (6.3) TLS1.2 Support with cURL and OpenSSL

Post by Jukkis » 2018/07/03 16:33:02

I have a problem with a production server with Centos 6.3 (final). Recently PayPal dropped support for SSLv3, TLS 1.0, and TLS 1.1 and now only support TLS 1.2. The solution seems to be have cURL to use the OpenSSL.

I have upgraded both OpenSSL, cURL and php-curl to latest using yum i.e.
OpenSSL 1.0.1e-fips 11 Feb 2013
curl 7.19.7 (x86_64_redhat-linu-gnu) .. NSS/3.27

When I then use the PHP to check the loaded cURL, the SSL version says NSS/3/27/1. Or from SSH console

[root]# php -r "print_r(curl_version());" | grep ssl_version
[ssl_version_number] => 0
[ssl_version] => NSS/3.27.1

Now I need to somehow to get the cURL to use the OpenSSL 1.0.1e-fips that is already loaded to CentOS

I have found the below article on the stackoverflow regarding the subject
https://stackoverflow.com/questions/351 ... sl-version

However it goes into removing the PHP, recompiling things etc. I am on a production server (with ISP) and do not want really any significant (risk of) downtime. So your suggestions to modify/update cURL would be greatly appreciated.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: CentOS (6.3) TLS1.2 Support with cURL and OpenSSL

Post by avij » 2018/07/03 18:03:43

You're still not using the latest nss and curl. Try yum update without any other parameters to upgrade your system to CentOS 6.10. Lots of TLS changes went into 6.8 and 6.9.

Jukkis
Posts: 3
Joined: 2018/07/03 16:20:21

Re: CentOS (6.3) TLS1.2 Support with cURL and OpenSSL

Post by Jukkis » 2018/07/04 14:57:30

I have now updated to CentOS release 6.10 (final)

But when I still check the cURL version, I will get the following:-

[root]# php -r "print_r(curl_version());" | grep ssl_version
[ssl_version_number] => 0
[ssl_version] => NSS/3.27.1

So still not using (which is still installed)
OpenSSL 1.0.1e-fips 11 Feb 2013

Any further suggestions to upgrade cURL to use OpenSSL?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS (6.3) TLS1.2 Support with cURL and OpenSSL

Post by TrevorH » 2018/07/04 15:09:12

I think you may be chasing a red herring with the openssl vs nss thing. Everything in CentOS 6 should be TLS 1.2 enabled if you are up to date. For example, from https://www.paypal-notice.com/en/TLS-1. ... 1-Upgrade/

Code: Select all

[trevor@c6test ~]$ curl -tls1_2 https://tlstest.paypal.com/
PayPal_Connection_OK
[trevor@c6test ~]$
Edit: tested without -tls1_2 too and that works as well so it's not necessary to explicitly enable it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Jukkis
Posts: 3
Joined: 2018/07/03 16:20:21

Re: CentOS (6.3) TLS1.2 Support with cURL and OpenSSL

Post by Jukkis » 2018/07/09 10:50:55

Yes, I get the same reply

[root]# curl -tls1_2 https://tlstest.paypal.com
PayPal_Connection_OK

So the issue must be something else. I appreciate your help. Thank you.

Post Reply