FYI, OpenSSL 1.0.2 rebase is scheduled for Redhat/CentOS 7.4 and OpenSSL 1.1.0 will be coming to RHEL/CentOS 7.4+ via SCL side port https://bugzilla.redhat.com/show_bug.cgi?id=1276310Yer, updating to 1.0.2k is usually one of the first things I do on a server. A pretty simple task though, and agreed, important one.
I didn't think the 1.1.x branch was even compatible with Centos 7?
OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
don't like compiling Nginx with clang compiler and want to use GCC default just set in persistent config file CLANG='n' prior to centmin.sh menu option 4 recompile of Nginxnginx -V
nginx version: nginx/1.11.12
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e
OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
CLANG='n'
don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version and want to use newer GCC 5.3.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' prior to centmin.sh menu option 4 recompile of Nginxnginx -V
nginx version: nginx/1.11.12
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e
OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
CLANG='n'
NGINX_DEVTOOLSETGCC='y'
don't like compiling Nginx with CentOS 7 default GCC 4.8.5 version or GCC 5.3.1 and want to use newer GCC 6.2.1 compiler as you have newer Intel cpus and want to take advantage of further Intel optimised compiler flags ? Just set in persistent config file CLANG='n' & NGINX_DEVTOOLSETGCC='y' & DEVTOOLSETSIX='y' prior to centmin.sh menu option 4 recompile of Nginxnginx -V
nginx version: nginx/1.11.12
built by gcc 5.3.1 20160406 (Red Hat 5.3.1-6) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e
OPENSSL_VERSION='1.1.0e'
LIBRESSL_SWITCH='n'
CLANG='n'
NGINX_DEVTOOLSETGCC='y'
DEVTOOLSETSIX='y'
Currently, working on GCC 7.x support too.nginx -V
nginx version: nginx/1.11.12
built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC)
built with OpenSSL 1.1.0e 16 Feb 2017
TLS SNI support enabled
configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0e
openssl ciphers -V "ALL:COMPLEMENTOFALL" | grep TLSv1.3
0x13,0x02 - TLS13-AES-256-GCM-SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
0x13,0x03 - TLS13-CHACHA20-POLY1305-SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
0x13,0x01 - TLS13-AES-128-GCM-SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
0x13,0x05 - TLS13-AES-128-CCM-8-SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM8(128) Mac=AEAD
0x13,0x04 - TLS13-AES-128-CCM-SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD
I've been with them 10 years now. They're good for what I have, just a few personal sites. I just use the default domain as top and add add-on domains for the others. Quick and easy. But no root access. Can't say as I blame them lol! But what got me started on this was wanting to go secure with SSL. Everyone is pushing this now. All I wanted was a lock in the browser. Good grief............... I opened up a can of worms!! That was my original post, wondering why they make it so damn hard to secure a website.Most shared hosts will allow you to install your own cert through cpanel which you can get for $10 from comodo. If they disable this functionality and request that you pay $150 for a cert, or even to install a free LetsEncrypt cert then that seems rather shady so run
Disable password login and replace with SSH key,
Already done2. Install fail2ban so you can jail nasties,
Already done3. Firewalld is simple and effective to keep all ports closed, other than those running software and secured as such.
Not running nginx, I don't think?Bad bot blocker for NGINX setup: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
Already done4. Use cloudflare (You get enterprise DDOS protection, CDN and full crypto - FREE)
No Memcache5. Running on a single server, you DO NOT want memcached installed. Provides little to no benefit when benchmarked, and with SSD RAID nowadays, is more hinderance to the process. Absolutely essential IF running a server stack though.
I had to lol!! Exactly what I'm discovering!............... Email is the headache. Setting up functional email to send and receive, you will spend more time trying to achieve this than anything else...............
Good advice, thanks.Always tweak just one thing, measure, look for faults and weird behaviour, then tweak further settings.
Guilty, will start to be more discerning from now on.DO NOT copy and paste settings from the web that you first do not fully understand what they do or the impact of the setting on your server and users.
Understatement of the century!There is a lot of learning.
That's one of the early lessons I heard from nearly everyone! Thanks for your detailed reply, I really do appreciate it.LESS IS MORE. Goodluck.
I've been with them 10 years now. They're good for what I have, just a few personal sites. I just use the default domain as top and add add-on domains for the others. Quick and easy. But no root access. Can't say as I blame them lol! But what got me started on this was wanting to go secure with SSL. Everyone is pushing this now. All I wanted was a lock in the browser. Good grief............... I opened up a can of worms!! That was my original post, wondering why they make it so damn hard to secure a website.
".................. We can provide you with a standard certificate for $109.00/year per year which includes installation fees. Once installed, the path to your Dedicated SSL Certificate would be: https://www.yourdomain.com (replace yourdomain.com with your domain).You don't need root access to add an SSL certificate with cPanel, if they're restricting access to that functionality for the sole purpose of charging $150 to do something that takes literally 30 seconds of work (pressing 2-3 buttons) there is definitely something off
No, they won't allow me to install my own. Yes, they use cPanel. There is no option for installing an SSL cert.They won't let you install your own? Do they use cPanel?
They use the latest, Paper Lantern, version is latest I'm sure. They have turned off that function. I know because I see that function on my Linode server. Couldn't help but to install it, like coming home lol!it's functionality built into cpanel/whm that is enabled by default that they would have to explicitly disable, I guess if they're using an ancient version of cPanel the functionality might not exist, but it's been there for quite some time
I'm just using the 15-day trial of cPanel right now. I'm learning so much at the command line, I don't want to get too lazy lol!!
Oh, I've done that probably 3 times already. Learn learn learn!!!Ah alright, just so you know you can't "uninstall" cPanel once that trial is over, so you'll have to reinstall the operating system if you don't renew the license
The worst part is that cPanel has free autoSSL built-in which does actually work. It can be a bit slow getting it to renew at first, but once done, it maintains itself.$30 installation fee (which is 3x the cost of a basic SSL certificate) if they want to use SSL
Looking forward to that support, especially with TLS1.3 pretty much starting to roll out more.Thanks to Akamai sponsoring OpenSSL, we should have OpenSSL 1.1.0 with TLS v1.3 support sooner rather than later too
AgreedLooking forward to that support, especially with TLS1.3 pretty much starting to roll out more.
Funny it works fine on mine with PostFix mta.Lets encrypt is not however suitable if you run an email server, as the CA cert for Lets Encrypt is not considered a trusted source and will cause anyone sending to your server email to bounce when requiring a trusted TLS connection (i.e. many corporate networks, some Government agencies, so forth)
I've emphasized the part that you may be referring to.Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites?
Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.
We use essential cookies to make this site work, and optional cookies to enhance your experience.