TLS 1.2 and SHA-256 Compatibility

[bh-tech]

We received an email from PayPal informing us of updates they were making to their security.

It required us to update our integration to support certificates using SHA-256 and we also need to support TLS1.2.

Does LiteSpeed support both of these updates? If so, what changes need to be made on my end?

We have Litespeed Web Server Enterprise 5.0.17.

 

[wanah]

Litespeed is compatible, the issue is goong to be for Centos 6 users as most PHP installs use centos's default curl version which is only compatible TLS 1.2 starting with Centos 7

 

[bh-tech]

I see - I thought there might be an issue with TLS compatibility - fortunately we have more time to make that change.

In terms of SHA-2 compatibility, is it just a matter of installing an updated certificate? Or do I need to make changes in LiteSpeed to support the certificate?

 

[mistwang]

It is for paypal connecting to your LSWS web server, everything should be fine.
If it is for connecting to paypal from some PHP code, you need to make sure PHP has linked against an OpenSSL version support TLSv1.2 .

 

[bh-tech]

It is for paypal connecting to your LSWS web server, everything should be fine.
If it is for connecting to paypal from some PHP code, you need to make sure PHP has linked against an OpenSSL version support TLSv1.2 .

How do I make sure 'PHP has linked against an OpenSSL version support'.

Wouldn't my OpenSSL version be the same as LiteSpeeds latest release? OpenSSL 1.0.2h

 

[mistwang]

litespeed binary is statically linked against OpenSSL 1.0.2h, it does not use the OpenSSL library coming with the system.
You can just find out the version of OpenSSL used by PHP through phpinfo().
If it is not the version you need, you need to compile OpenSSL 1.0.2h from source, then build your own PHP binary using the OpenSSL library you just compiled.

 

[bh-tech]

Can this be done on CentOS 5?

 

[NiteWave]

someone has tried to compile openssl 1.0.2 on centos 5:
http://forum.directadmin.com/showthread.php?t=51556
looks not easy, you have to try and see if it works in the end.

 

[wanah]

Paypal's sdk requires Curl 7.34 (redhat's centos 7 versions works, but centos 5 and 6 versions don't) and for tls 1.2 cantos 5 will also need an openssl upgrade, I think that CentOS 6's openssl is ok. CentOS 5 will be end if life next year so it might be time to think about moving sites to a new server with CentOS 7. We moved our Centos 5 servers to Centos 7 ones 2 months ago.

 

[bh-tech]

Paypal's sdk requires Curl 7.34 (redhat's centos 7 versions works, but centos 5 and 6 versions don't) and for tls 1.2 cantos 5 will also need an openssl upgrade, I think that CentOS 6's openssl is ok. CentOS 5 will be end if life next year so it might be time to think about moving sites to a new server with CentOS 7. We moved our Centos 5 servers to Centos 7 ones 2 months ago.

Hi wanah - thanks for that info.

Moving to Centos 7 is definitely on our radar with the end of life coming up next year. PayPal have a deadline for TLS1.2 support by June next year. It's just the SHA-2 compatibility that needs to be done more imminently (ideally by June 17 2016). But looking more into it, like you've described above, that CentOS 5 will limit out OpenSSL version, meaning compatibility with SHA-2 on CentOS 5 is highly unlikely.

We have a fairly complex server, with vBulletin Forum, 2 x Wordpress Blog, Reviews System, a PHP based Directory system, and a Newsletter system - so I feel our move to CentOS 7 is going to be quite complicated.

How did you find the migration? Did you run into any issues? Anything to warn us about?

 

[wanah]

Hello,
The server we moved was running on cPanel with MySQL 5.1 and CloudLinux 5 (mostly the same as Centos 5) and Apache 2.2 with suphp.
Our new server is running Cloudlinux 7, Mariadb 10.1, and Litespeed 5.0.

We only had three websites that showed errors after the move which we resolved by replacing php's mysql extenion my mysqlnd (a default charset issue resolved automaticaly by php's mysqlnd extension).

Apart from this everything was very smooth, just as smooth as migrating from CentOS 5 to CloudLinux 6.

Make sure your PHP confirguration matches and everything should be fine. Cloudlinux's PHP Selector helped us keep the same versions of PHP as on the previous server.

If you only have a few accounts on the server you might want to move accounts individually (using cPanel transfer tool if you're on cPanel so you can revert quickly if something doesn't work.