Why SSL Is So Slow to Catch On................

[CTS]

If you are going SSL onto existing non-SSL sites, make sure you let the search engines know with a proper 301 in your htaccess.

(Unless I misunderstood the question, seems the convo is server centered. Wasnt sure)

Edit to add, just noticed which forum this was in, sorry.

 

[eva2000]

Yer, updating to 1.0.2k is usually one of the first things I do on a server. A pretty simple task though, and agreed, important one.

I didn't think the 1.1.x branch was even compatible with Centos 7?

FYI, OpenSSL 1.0.2 rebase is scheduled for Redhat/CentOS 7.4 and OpenSSL 1.1.0 will be coming to RHEL/CentOS 7.4+ via SCL side port https://bugzilla.redhat.com/show_bug.cgi?id=1276310

Centmin Mod 123.09beta01's Nginx defaults to LibreSSL 2.4 branch but can optionally switch to OpenSSL 1.0.2k or newer via LIBRESSL_SWITCH='n' set persistent config file /etc/centminmod/custom_config.inc set variable or define OPENSSL_VERSION override variable for OpenSSL 1.1.0e to switch from LibreSSL 2.4 to OpenSSL 1.1 branch

persistent config file /etc/centminmod/custom_config.inc set variables prior to centmin.sh menu option 4 recompile of Nginx

OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'

on CentOS 7 with Centmin Mod 123.09beta01 build

nginx -V
nginx version: nginx/1.11.12
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e

don't like compiling Nginx with clang compiler and want to use GCC default just set in persistent config file CLANG='n' prior to centmin.sh menu option 4 recompile of Nginx

OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
CLANG='n'

nginx -V
nginx version: nginx/1.11.12
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e

don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version and want to use newer GCC 5.3.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' prior to centmin.sh menu option 4 recompile of Nginx

OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
CLANG='n'
NGINX_DEVTOOLSETGCC='y'

nginx -V
nginx version: nginx/1.11.12
built by gcc 5.3.1 20160406 (Red Hat 5.3.1-6) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e

don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version or GCC 5.3.1 and want to use newer GCC 6.2.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' & DEVTOOLSETSIX='y' prior to centmin.sh menu option 4 recompile of Nginx

OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
CLANG='n'
NGINX_DEVTOOLSETGCC='y'
DEVTOOLSETSIX='y'

nginx -V
nginx version: nginx/1.11.12
built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e

Currently, working on GCC 7.x support too.

Thanks to Akamai sponsoring OpenSSL, we should have OpenSSL 1.1.0 with TLS v1.3 support sooner rather than later too https://community.centminmod.com/threads/akamai-sponsors-openssl-tls-1-3-development.10898/

Testing out OpenSSL 1.1.0 with TLS v1.3 draft 18

openssl ciphers -V "ALL:COMPLEMENTOFALL" | grep TLSv1.3
         0x13,0x02 - TLS13-AES-256-GCM-SHA384 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
         0x13,0x03 - TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
         0x13,0x01 - TLS13-AES-128-GCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
         0x13,0x05 - TLS13-AES-128-CCM-8-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM8(128) Mac=AEAD
         0x13,0x04 - TLS13-AES-128-CCM-SHA256 TLSv1.3 Kx=any      Au=any  Enc=AESCCM(128) Mac=AEAD

 

[Rusty Snippets]

Most shared hosts will allow you to install your own cert through cpanel which you can get for $10 from comodo. If they disable this functionality and request that you pay $150 for a cert, or even to install a free LetsEncrypt cert then that seems rather shady so run

I've been with them 10 years now. They're good for what I have, just a few personal sites. I just use the default domain as top and add add-on domains for the others. Quick and easy. But no root access. Can't say as I blame them lol! But what got me started on this was wanting to go secure with SSL. Everyone is pushing this now. All I wanted was a lock in the browser. Good grief............... I opened up a can of worms!! That was my original post, wondering why they make it so damn hard to secure a website.

 

[Rusty Snippets]

Disable password login and replace with SSH key,

Already done

2. Install fail2ban so you can jail nasties,

Already done

3. Firewalld is simple and effective to keep all ports closed, other than those running software and secured as such.

Already done

Bad bot blocker for NGINX setup: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

Not running nginx, I don't think?

4. Use cloudflare (You get enterprise DDOS protection, CDN and full crypto - FREE)

Already done

[snip]

5. Running on a single server, you DO NOT want memcached installed. Provides little to no benefit when benchmarked, and with SSD RAID nowadays, is more hinderance to the process. Absolutely essential IF running a server stack though.

No Memcache

............... Email is the headache. Setting up functional email to send and receive, you will spend more time trying to achieve this than anything else...............

I had to lol!! Exactly what I'm discovering!

Always tweak just one thing, measure, look for faults and weird behaviour, then tweak further settings.

Good advice, thanks.

DO NOT copy and paste settings from the web that you first do not fully understand what they do or the impact of the setting on your server and users.

Guilty, will start to be more discerning from now on.

There is a lot of learning.

Understatement of the century!

LESS IS MORE. Goodluck.

That's one of the early lessons I heard from nearly everyone! Thanks for your detailed reply, I really do appreciate it.

 

[Jake B.]

I've been with them 10 years now. They're good for what I have, just a few personal sites. I just use the default domain as top and add add-on domains for the others. Quick and easy. But no root access. Can't say as I blame them lol! But what got me started on this was wanting to go secure with SSL. Everyone is pushing this now. All I wanted was a lock in the browser. Good grief............... I opened up a can of worms!! That was my original post, wondering why they make it so damn hard to secure a website.

You don't need root access to add an SSL certificate with cPanel, if they're restricting access to that functionality for the sole purpose of charging $150 to do something that takes literally 30 seconds of work (pressing 2-3 buttons) there is definitely something off

 

[Rusty Snippets]

You don't need root access to add an SSL certificate with cPanel, if they're restricting access to that functionality for the sole purpose of charging $150 to do something that takes literally 30 seconds of work (pressing 2-3 buttons) there is definitely something off

".................. We can provide you with a standard certificate for $109.00/year per year which includes installation fees. Once installed, the path to your Dedicated SSL Certificate would be: https://www.yourdomain.com (replace yourdomain.com with your domain).

The Standard Certificate, at $109.00/year includes the following features:

• Online Automated Validation, No paperwork, no faxes, no delay
• Industry standard 2048 bit digital signatures
• 99.9% Browser Coverage
• $250,000 Relying Party Warranty
• 256 Bit Encryption
• FREE Trust Logo
• FREE Site Seal

Third Party Dedicated Certificate Installations

If you have a Dedicated SSL Certificate that you have purchased from another provider, we can install that for you as an alternative. We charge $14.95 to generate the CSR needed for the third party certificate and a $29.95 installation fee to install the certificate once received. A Dedicated IP is also still a requirement when installing third party SSL certificates................"


I think I was adding the the 3rd party cert cost to get $150.

 

[Jake B.]

They won't let you install your own? Do they use cPanel?

 

[Rusty Snippets]

They won't let you install your own? Do they use cPanel?

No, they won't allow me to install my own. Yes, they use cPanel. There is no option for installing an SSL cert.

 

[Rusty Snippets]

This is a small, shared host, if that's a defense or not I don't know.

 

[Jake B.]

it's functionality built into cpanel/whm that is enabled by default that they would have to explicitly disable, I guess if they're using an ancient version of cPanel the functionality might not exist, but it's been there for quite some time

 

[Rusty Snippets]

it's functionality built into cpanel/whm that is enabled by default that they would have to explicitly disable, I guess if they're using an ancient version of cPanel the functionality might not exist, but it's been there for quite some time

They use the latest, Paper Lantern, version is latest I'm sure. They have turned off that function. I know because I see that function on my Linode server. Couldn't help but to install it, like coming home lol!

 

[Jake B.]

If that's the case they have likely disabled it to generate a new revenue stream by forcing people to pay at least the $30 installation fee (which is 3x the cost of a basic SSL certificate) if they want to use SSL. If you've installed cpanel on a Linode box you can enable AutoSSL as well to automatically generate/renew LetsEncrypt SSL certificates for your domains

 

[Rusty Snippets]

I'm just using the 15-day trial of cPanel right now. I'm learning so much at the command line, I don't want to get too lazy lol!!

 

[Jake B.]

I'm just using the 15-day trial of cPanel right now. I'm learning so much at the command line, I don't want to get too lazy lol!!

Ah alright, just so you know you can't "uninstall" cPanel once that trial is over, so you'll have to reinstall the operating system if you don't renew the license

 

[Rusty Snippets]

Ah alright, just so you know you can't "uninstall" cPanel once that trial is over, so you'll have to reinstall the operating system if you don't renew the license

Oh, I've done that probably 3 times already. Learn learn learn!!!

 

[ichpen]

I think we've collectively derailed this thread very nicely I take blame.

Some great points made. Pertaining to SSL it has been a slow journey but with this year's new browser warnings and now at least 3 'free' certificate services/options out there with proper CA attestations I think 2017 will be the year when we will see much swifter adoption. I predict browser warnings will become more and more pervasive to 'encourage' owners to transition over.

One really good point made above, don't forget your 301s and do also update your webmaster properties with your new https site to track errors and the like.

 

[Anthony Parsons]

$30 installation fee (which is 3x the cost of a basic SSL certificate) if they want to use SSL

The worst part is that cPanel has free autoSSL built-in which does actually work. It can be a bit slow getting it to renew at first, but once done, it maintains itself.

 

[Anthony Parsons]

Thanks to Akamai sponsoring OpenSSL, we should have OpenSSL 1.1.0 with TLS v1.3 support sooner rather than later too

Looking forward to that support, especially with TLS1.3 pretty much starting to roll out more.

 

[eva2000]

Looking forward to that support, especially with TLS1.3 pretty much starting to roll out more.

Agreed

Yeah cPanel autoSSL does work on the cpanel servers I have too though still prefer Centmin Mod HTTP/2 HTTPS as I have enabled dynamic TLS record size patch (Cloudflare) and Cloudflare chacha20 patch for OpenSSL 1.0.2 and backported to OpenSSL 1.1 as well = improved page load times over HTTPS If you want additional performance/speed for HTTPS you can't do what every other LEMP/LAMP stack does as you'd get the same HTTPS performance as those other web stacks. You need do some things differently

• https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
• https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/

As to SSL certificates Centmin Mod latest beta has Letsencrypt integration being beta tested at https://centminmod.com/acmetool

• Added an official Centmin Mod guide for fresh Centmin Mod Nginx HTTP/2 based HTTPS vhost site creation with free Letsencrypt SSL certificates https://centminmod.com/letsencrypt-acmetool-https.html.
• This is an alternative to the guide for existing Centmin Mod Nginx HTTP users wishing to migrate from HTTP to HTTPS at https://centminmod.com/migrating-to-https.html

 

[TPerry]

Lets encrypt is not however suitable if you run an email server, as the CA cert for Lets Encrypt is not considered a trusted source and will cause anyone sending to your server email to bounce when requiring a trusted TLS connection (i.e. many corporate networks, some Government agencies, so forth)

Funny it works fine on mine with PostFix mta.

In fact, taken from their FAQ

Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.

Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.

I've emphasized the part that you may be referring to.
You cannot use them for encryption , but server side for SMTP SSL/TLS protocol is fine.
https://community.letsencrypt.org/t/why-letsencrypt-certificates-are-not-valid-for-email/14039

What documentation have you found that states that governmental entities won't accept an approved global CA issued certificate.