Want more timely Centmin Mod News Updates?
Become a Member

Github.com Drops TLSv1.1 & TLSv1.0 Support Update CentOS 6.9 or 7.4

Discussion in 'Centmin Mod News' started by eva2000, Mar 7, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:08 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod's update routine is Git repository backed so relies on Git client to manage Centmin Mod code updates and version branch switches. Centmin Mod's code source is primarily hosted on a Github.com repository here. News is that Github.com is dropping TLSv1.1 and TLSv1.0 support (Weak cryptographic standards removal notice).

    This means that your version of Git needs to support the newer TLSv1.2 connections to Github.com. For Redhat/CentOS that means at least using CentOS 6.8+ or 7.2+ or higher version's Git version. I recommend updating to latest within your branch so CentOS 6.9 if using CentOS 6 or CentOS 7.4 if using CentOS 7. That will allow you to use the updated Git version that supports TLSv1.2.

    Without updating to CentOS 6.8+ or 7.2+ or higher version's Git version, you will not be able to use centmin.sh menu option 23 at all or update your Centmin Mod code anymore as Git will have a broken connection and get errors like
    Code (Text):
    Peer reports incompatible or unsupported protocol version.
    

    And curl would give errors like
    Code (Text):
    curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
    

    From Weak cryptographic standards removal notice
    I would at least make sure you're on CentOS 6.9 or 7.4 and do a yum update to ensure Git is updated as older versions don't have Git clients that support TLS v1.2.

    Updating CentOS



    If you're not already using CentOS 6.8+ or 7.4+, then you need to update CentOS via yum update command and reboot your server.

    Check your current CentOS version via command below.
    Code (Text):
    cat /etc/redhat-release
    

    i.e. CentOS 7.4 so you have already got latest git and curl versions supporting TLSv1.2
    Code (Text):
    cat /etc/redhat-release
    CentOS Linux release 7.4.1708 (Core)
    

    So if you need to update to CentOS 6.9 or 7.4, to update CentOS just do a yum update and then reboot server and if you have a very active MySQL server at least flush tables and wait a while before rebooting
    Code (Text):
    yum -y update
    reboot
    

    or wait 360 seconds before rebooting
    Code (Text):
    yum -y update
    mysqladmin flush-tables
    sleep 360
    reboot
    


    Update Notes



    If you haven't updated your CentOS version in ages and haven't run yum updates for a while, then you may have missed out on some Kernel security updates for Meltdown/Spectre vulnerabilities. The gist of it is that there's Kernel security updates have a side effect of reducing performance for some work loads which have alot of system calls/context switches etc. Details and discussions are available at Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]. You should subscribe/watch the thread for further news and developments as the situation is still fluid and on going with Linux distributions and upstream Kernel updates for Spectre and Meltdown as well as work on improving performance post Kernel KPTI patching.

    For instance normal distribution supplied Nginx web servers might have up to 26% performance reduction after Kernel KPTI security updates. Centmin Mod Nginx luckily isn't a normal Nginx server build and uses alternate Jemalloc memory allocator instead of system Glibc malloc so the performance reduction was measured around 5.5%.

    If using MyISAM tables in MySQL, you would want to look at converting them to InnoDB if possible as the Kernel KPTI performance impact and reduction can be as high as 40% according to MariaDB benchmarks. Centmin Mod MariaDB MySQL users however will be glad to know that if using MariaDB 10.0 or 10.1 branch, their performance impact will be much less due to MariaDB 10.0/10.1 not using system Glibc malloc memory allocator but using Jemalloc (like Centmin Mod Nginx does), so the performance reduction may not be as severe. MariaDB tested tcmalloc alternate memory allocator and the performance reduction impact dropped from 27+ % to under 2.7% (details).

    MariaDB 10.2 switched back form Jemalloc to system Glibc malloc though, so need to use malloc-lib option to switch back to Jemalloc or tcmalloc memory allocators as outlined here. Centmin Mod currently only installs MariaDB 10.0 with 123.08stable and MariaDB 10.1 with 123.09beta01 out of box. MariaDB 10.2 is supported in 123.09beta01 as an upgrade option which is currently in private testing so not enabled publicly by default.

    Redis and Memcached server are 2 other software items impacted by Meltdown/Spectre fixes in Linux Kernel with reportedly between 5-20% performance reduction depending on cpu model used. Unfortunately, there's no solution for that as yet.

     
    Last edited: Mar 7, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    54,535
    12,219
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,788
    Local Time:
    9:08 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems Paypal is also enforcing TLSv1.2 or TLSv1.1 too so the version of curl used in CentOS needs to support TLSv1.2 so it's also in your best interest to update to latest within your OS branch. So CentOS 6.9 if using CentOS 6 or CentOS 7.4 if using CentOS 7
    And GitHub - paypal/TLS-update: Documentation & tools for the upcoming TLSv1.2 required update related to PHP. Note CentOS/Redhat backports updates into curl and openssl version numbers that may not seem like the latest but are. But changes are based on OS version used so CentOS 6.7 version of curl 7.19 won't have same updated TLSv1.2 support as CentOS 6.9 version of curl 7.19 etc.

    According To verify your PHP and TLS versions you can check your version of curl usage with PHP for Paypal via the TlsCheck.php file using commands below:
    Code (Text):
    mkdir -p /root/tools/paypal
    cd /root/tools/paypal
    wget https://github.com/paypal/TLS-update/raw/master/php/TlsCheck.php
    wget https://github.com/paypal/TLS-update/raw/master/php/cacert.pem
    php -f TlsCheck.php
    

    should result in reporting PayPal_Connection_OK if working with updated curl version or curl_error information if the version of curl is outdated.
    Code (Text):
    php -f TlsCheck.php
    PayPal_Connection_OK
    
     
    Last edited: Mar 7, 2018
Thread Status:
Not open for further replies.