Learn about Centmin Mod LEMP Stack today
Become a Member

The cURL library of your server does not support TLS1.2 or TLS1.3

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Doni, Sep 2, 2022.

  1. Doni

    Doni Member

    45
    2
    8
    Aug 23, 2014
    Ratings:
    +5
    Local Time:
    8:03 AM
    nginx/1.7.4
    mysql Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1
    Hi eva,

    this probably not related to instalation of centmin. But install some wordpress plugins, and it looks like it require TLS1.2 or TLS1.3 because it say some error:

    Out-of-the-Box - Error: The cURL library of your server does not support TLS1.2 or TLS1.3 (CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_TLSv1_3. This is required by the API to create a secure connection. Please contact your webhost and ask them to upgrade the curl library and/or enable TLS1.2 support or higher for this library.


    How can i upgrade the cURL library?

    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.23.1
    • PHP Version Installed: 7.4.30
    • Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
      Code (Text):
      MARCH_TARGETNATIVE='n'
      LETSENCRYPT_DETECT='y'
      DISABLE_TLSONEZERO_PROTOCOL='y'
      SSL_PROTOCOL_MODERN='y'
      

     
  2. Doni

    Doni Member

    45
    2
    8
    Aug 23, 2014
    Ratings:
    +5
    Local Time:
    8:03 AM
    nginx/1.7.4
    mysql Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1
    Trying to run customcurl from addons


    Code:
    HTTP/1.1 404 Not Found
    Date: Thu, 01 Sep 2022 15:17:15 GMT
    Server: Apache/2.4.54 (Fedora Linux) OpenSSL/1.1.1o mod_fcgid/2.3.9 SVN/1.14.2
    Content-Type: text/html; charset=iso-8859-1
    
    curl: (22) The requested URL returned error: 404 Not Found
    error: skipping http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-2.rhel7.noarch.rpm - transfer failed
    Retrieving http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-2.rhel7.noarch.rpm
    sed: can't read /etc/yum.repos.d/city-fan.org.repo: No such file or directory
    Loaded plugins: fastestmirror, versionlock
    
    
    Error getting repository data for city-fan.org, repository not found
    
    curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
    
    recompile PHP via centmin.sh menu option 5 to
    complete new curl version setup on your system
    
    custom curl RPMs installed...
    you can now use yum update to update curl
     
  3. eva2000

    eva2000 Administrator Staff Member

    49,299
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:03 AM
    Nginx 1.21.x
    MariaDB 10.x
    addons/customcurl.sh was fixed in 124.00stable or 130.00beta01 https://community.centminmod.com/threads/centmin-mod-124-00stable-130-00beta01-releases.22673/

    CentOS 7's system openssl 1.0.2 doesn't support TLSv1.3 so even customcurl.sh update won't help. But it should support TLSv1.2 so not sure what's up with that message. What plugin is this from?

    If you update to Centmin Mod 130.00beta01 and set PHP_CUSTOMSSL='y' in persistent config file /etc/centminmod/custom_config.inc and then run centmin.sh menu option 4 to recompile Nginx and latest openssl 1.1.1q version and then run centmin.sh menu option 5 to recompile PHP 7.4, 8.0 or 8.1, it will rebuild PHP-FPM with custom openssl 1.1.1 used by Nginx for TLSv1.3 support.
     
    Last edited: Sep 2, 2022
  4. Doni

    Doni Member

    45
    2
    8
    Aug 23, 2014
    Ratings:
    +5
    Local Time:
    8:03 AM
    nginx/1.7.4
    mysql Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1
    its out-of-the-box plugins from Awesome Cloud Plugins for WordPress • WP Cloud Plugins

    i will try to update, i'll let you know the result
     
  5. Doni

    Doni Member

    45
    2
    8
    Aug 23, 2014
    Ratings:
    +5
    Local Time:
    8:03 AM
    nginx/1.7.4
    mysql Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1
    Updated to 130.00beta01 and set the PHP_CUSTOMSSL='y'. when try to recomple nginx to latest i got this

    Code (Text):
    Nginx Upgrade - Would you like to continue? [y/n] y
    
    Current Nginx Version: 1.21.6 (010922-172536-centos7-kvm-2341d4a)
    
    Install which version of Nginx? (version i.e. type 1.21.6): 1.23.1
    
    Do you still want to continue? [y/n] y
    
    Note: As at June 22, 2022 Nginx 1.23.0 is incompatible with several
    Centmin Mod Nginx modules like srcache-nginx-module & redis nginx module
    until then, you can stick with 1.21.6.
    
    Total Nginx Upgrade Time: 9.777937443 seconds
    
    


    I also try to run customcurl command, and it still error
    Code (Text):
    HTTP/1.1 404 Not Found
    Date: Thu, 01 Sep 2022 17:34:39 GMT
    Server: Apache/2.4.54 (Fedora Linux) OpenSSL/1.1.1o mod_fcgid/2.3.9 SVN/1.14.2
    Content-Type: text/html; charset=iso-8859-1
    
    curl: (22) The requested URL returned error: 404 Not Found
    error: skipping https://mirror.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-3-2.rhel7.noarch.rpm - transfer failed
    Retrieving https://mirror.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-3-2.rhel7.noarch.rpm
    sed: can't read /etc/yum.repos.d/city-fan.org.repo: No such file or directory
    Loaded plugins: fastestmirror, versionlock
    
    
    Error getting repository data for city-fan.org, repository not found
    
    curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
    
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    49,299
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:03 AM
    Nginx 1.21.x
    MariaDB 10.x
    Use Nginx 1.21.6 unless you want to use Nginx 1.23.1 with NGINX_ONETWOTHREE_COMPAT='y' https://community.centminmod.com/th...tart-nginx-and-it-showerror.23101/#post-94018 as Nginx 1.23+ branch has breaking changes to Nginx modules so needs more testing so hidden behind NGINX_ONETWOTHREE_COMPAT variable for now.

    hmm maybe broken mirror again ?
    Code (Text):
    curl -I https://mirror.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-3-2.rhel7.noarch.rpm
    HTTP/1.1 404 Not Found
    Date: Thu, 01 Sep 2022 18:04:26 GMT
    Server: Apache/2.4.54 (Fedora Linux) OpenSSL/1.1.1o mod_fcgid/2.3.9 SVN/1.14.2
    Content-Type: text/html; charset=iso-8859-1
    

    looks like they changed the rpm download URL so need to update addons/customcurl.sh
    Code (Text):
    curl -I https://mirror.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-3-3.rhel7.noarch.rpm
    HTTP/1.1 200 OK
    Date: Thu, 01 Sep 2022 18:05:51 GMT
    Server: Apache/2.4.54 (Fedora Linux) OpenSSL/1.1.1o mod_fcgid/2.3.9 SVN/1.14.2
    Last-Modified: Sun, 14 Aug 2022 15:53:53 GMT
    ETag: "19dcc-5e63585aaee59"
    Accept-Ranges: bytes
    Content-Length: 105932
    Content-Type: application/x-rpm
    

    I've just updated Centmin Mod 124.00stable and 130.00beta01 with a fix for addons/customcurl.sh updated URL so run cmupdate to update your local server code and try re-running the addon.
     
  7. eva2000

    eva2000 Administrator Staff Member

    49,299
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:03 AM
    Nginx 1.21.x
    MariaDB 10.x
    Dig into why and looks like curl 7.29 default in CentOS 7 uses NSS 3.53 for crypto library and NSS actually disabled TLSv1.3 by default since NSS 3.53.1-2 so curl doesn't have TLSv1.3 but should have TLSv1.2.
    Code (Text):
    rpm -qa --changelog nss | grep -C1 -i tls
    
    * Thu Jul 30 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-2
    - Disable TLS 1.3 by default
    

    The addons/customcurl.sh uses curl 7.84 now and uses NSS 3.67 and has a workaround for NSS 3.53 system disabling of TLSv1.3 by default apparently in changelogs since curl 7.62.0-1.7.cf
    Code (Text):
    rpm -qa --changelog curl | grep -C5 -i 'tls 1.3'
    
    * Tue Dec 04 2018 Paul Howarth <paul@city-fan.org> - 7.62.0-1.7.cf
    - Work around TLS 1.3 being disabled in NSS in EL-7
      - https://github.com/curl/curl/issues/3261
      - https://github.com/curl/curl/pull/3337
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    49,299
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:03 AM
    Nginx 1.21.x
    MariaDB 10.x
  9. Doni

    Doni Member

    45
    2
    8
    Aug 23, 2014
    Ratings:
    +5
    Local Time:
    8:03 AM
    nginx/1.7.4
    mysql Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1
    Hi eva, i will try to dig into what you said. Anyway i also contact the author of the plugins, and he said and i quote


    Turn out by adding it to wp-config, the plugins works.
     
  10. eva2000

    eva2000 Administrator Staff Member

    49,299
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:03 AM
    Nginx 1.21.x
    MariaDB 10.x
    Interesting, still curious what output you get from https://community.centminmod.com/th...ot-support-tls1-2-or-tls1-3.23191/#post-94335

    and when you use addons/customcurl.sh with centmin.sh menu option 5 PHP recompiled
     
  11. Doni

    Doni Member

    45
    2
    8
    Aug 23, 2014
    Ratings:
    +5
    Local Time:
    8:03 AM
    nginx/1.7.4
    mysql Ver 15.1 Distrib 5.5.39-MariaDB, for Linux (x86_64) using readline 5.1
    In the shell right?

    Code (Text):
    OS: Linux
    uname: 3.10.0-1160.71.1.el7.x86_64
    PHP version: 7.4.30
    curl version: 7.29.0
    SSL version: NSS/3.53.1
    SSL version number: 0
    OPENSSL_VERSION_NUMBER: 1010111f
    
    Testing CURL_SSLVERSION_TLSv... (not forced)
    Result TLS_Default: TLS 1.2
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_TLSv1_1 - assumed 'CURL_SSLVERSION_TLSv1_1' (this will throw an Error in a future version of PHP) in /root/test.php on                                                                line 35
    Result TLS_v1_1: TLS 1.2
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_TLSv1_2 - assumed 'CURL_SSLVERSION_TLSv1_2' (this will throw an Error in a future version of PHP) in /root/test.php on                                                                line 36
    Result TLS_v1_2: TLS 1.2
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_TLSv1_3 - assumed 'CURL_SSLVERSION_TLSv1_3' (this will throw an Error in a future version of PHP) in /root/test.php on                                                                line 37
    Result TLS_v1_3: TLS 1.2
    
    Testing CURL_SSLVERSION_MAX_TLSv...
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_MAX_DEFAULT - assumed 'CURL_SSLVERSION_MAX_DEFAULT' (this will throw an Error in a future version of PHP) in /root/test                                                               .php on line 40
    Result MAX_Default: TLS 1.2
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_MAX_TLSv1_1 - assumed 'CURL_SSLVERSION_MAX_TLSv1_1' (this will throw an Error in a future version of PHP) in /root/test                                                               .php on line 41
    Result TLS_v1_1: TLS 1.2
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_MAX_TLSv1_2 - assumed 'CURL_SSLVERSION_MAX_TLSv1_2' (this will throw an Error in a future version of PHP) in /root/test                                                               .php on line 42
    Result TLS_v1_2: TLS 1.2
    PHP Warning:  Use of undefined constant CURL_SSLVERSION_MAX_TLSv1_3 - assumed 'CURL_SSLVERSION_MAX_TLSv1_3' (this will throw an Error in a future version of PHP) in /root/test                                                               .php on line 43
    Result TLS_v1_3: TLS 1.2
    
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    49,299
    11,296
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,575
    Local Time:
    11:03 AM
    Nginx 1.21.x
    MariaDB 10.x
    If I understand it correctly (not a PHP coder), that output agrees with your plugin author's assessment that
    Maybe it isn't in PHP 7.4.30, if you try upgrading to PHP 8.0.23 and retest that script and your Wordpress plugin without the added wp-config.php code.

    If that's the case, then that means your plugin is only PHP 8+ compatible in reality.
     
    Last edited: Sep 3, 2022