Learn about Centmin Mod LEMP Stack today
Become a Member

Beta Branch fix OpenSSL 1.1.1 master branch git clone

Discussion in 'Centmin Mod Github Commits' started by eva2000, Aug 18, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    45,970
    10,442
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,203
    Local Time:
    10:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  2. Peter Nehem

    Peter Nehem It hates everything I try to type here

    11
    9
    3
    Nov 22, 2017
    Tucson, Arizona USA
    Ratings:
    +13
    Local Time:
    5:02 PM
    1.15.0
    MariaDB 10.1.34
    Just before you posted this change I was able to compile Nginx with my custom_config.inc file, I had changed these lines to reflect what I had read earlier tonight
    OPENSSL_VERSION='openssl-tls1.3'
    OPENSSL_TLSONETHREE='y'
    OPENSSL_CUSTOMPATH='/mnt/sdd1/openssl-tls1.3'
    and when I downloaded and checked the openssl version it was openssl-pre8
    But when I went to run it on another server, changing it so that it looked like these line above, It errors out because it can't find an openssl-tls1.3 on the centminmod download site. Where as this fix pulls direct from the openssl site and the nginx update looks to the centminmod download site.
     
  3. Peter Nehem

    Peter Nehem It hates everything I try to type here

    11
    9
    3
    Nov 22, 2017
    Tucson, Arizona USA
    Ratings:
    +13
    Local Time:
    5:02 PM
    1.15.0
    MariaDB 10.1.34
    Download openssl-openssl-pre8.tar.gz ...
    download_cmd https://centminmod.com/centminmodparts/openssl/openssl-openssl-pre8.tar.gz
    ECDSA SSL Cipher BASED HTTPS detected, switching from axel to wget
    https://centminmod.com/centminmodparts/openssl/openssl-openssl-pre8.tar.gz:
    2018-08-17 23:42:38 ERROR 404: Not Found.
    8
    Error: openssl-openssl-pre8.tar.gz download failed.

    Here is the error I'm getting now, I've tried changing it to pre8 and tls1_3 but neither of those files exist at that centminmod site
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,970
    10,442
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,203
    Local Time:
    10:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Don't set OPENSSL_VERSION='openssl-tls1.3'

    Only variable to set for openssl 1.1.1 master branch is TLSONETHREE='y' which is downloaded from git clone and not a file

    Setting OPENSSL_VERSION variable tells centmin mod to try and download the corresponding tar.gz file which isn't what you want if trying openssl 1.1.1 master branch. If you're interested in following the code, it's within inc/openssl_install.inc currently lines 535-547

    openssl 1.1.1 master branch is the development branch for openssl and not really for production use but rather testing. While openssl-1.1.1-pre* versions are openssl 1.1.1 betas closer to production eventually
     
    Last edited: Aug 19, 2018
  5. Peter Nehem

    Peter Nehem It hates everything I try to type here

    11
    9
    3
    Nov 22, 2017
    Tucson, Arizona USA
    Ratings:
    +13
    Local Time:
    5:02 PM
    1.15.0
    MariaDB 10.1.34
    I'm sorry I'm lost now, I want it to use the the git master branch but I can't get it to pick that up anymore - I used to look and see what version they were on and then go one less. It was on openssl-pre2 for a long time because that was the only one I could check at ssllabs. Recently it's been on openssl-pre8 because ssllabs had update the version of tls1.3.
    If I comment out or leave OPENSSL_VERSION= blank then it try's to load 1.1.0i and fails
    I hope I did this Pastebin correctly:
    <script src="https://pastebin.com/embed_js/4Xj5cCZJ"></script>

    But Here is a copy of my config file, I use the same one on the 3 servers I have at the moment.
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,970
    10,442
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,203
    Local Time:
    10:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    openssl-1.1.1-pre versions are downloaded from openssl.org and are betas NOT from github openssl 1.1.1 master and download .tar.gz are determined by setting OPENSSL_VERSION. Do not leave it blank as you wont't get a valid version download. To disable remove OPENSSL_VERSION from persistent config file /etc/centminmod/custom_config.inc

    if you want to use github openssl 1.1.1 master branch, only persistent config /etc/centminmod/custom_config.inc setting needed is TLSONETHREE='y' and remove
    Code (Text):
    OPENSSL_VERSION='1.1.1-pre8'
    OPENSSL_TLSONETHREE='y'
    

    fyi, you don't need OPENSSL_TLSONETHREE='y' as it's 123.09beta01 current default
     
    Last edited: Aug 19, 2018
  7. eva2000

    eva2000 Administrator Staff Member

    45,970
    10,442
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,203
    Local Time:
    10:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    paste as just .txt extension file