Centos 5.11 OpenSSL TLS 1.2 for Paypal

ssl openssl centos5 curl

7,908

Solution 1

Doh, Thank you Hakan, so simple.

ldd /usr/local/bin/curl showed the new curl to not be linked to the new OpenSSL (ran out out of scroll buffer to copy here).

I re ran the configure, make and make install of curl:

ldd /usr/local/bin/curl
    linux-gate.so.1 =>  (0xb77be000)
    libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0xb7764000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0xb76fe000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0xb7560000)
    libz.so.1 => /lib/libz.so.1 (0xb754d000)
    librt.so.1 => /lib/librt.so.1 (0xb7543000)
    libc.so.6 => /lib/libc.so.6 (0xb73e7000)
    libidn.so.11 => /usr/lib/libidn.so.11 (0xb73b6000)
    libdl.so.2 => /lib/libdl.so.2 (0xb73b1000)
    libpthread.so.0 => /lib/libpthread.so.0 (0xb7397000)
    /lib/ld-linux.so.2 (0xb77bf000)

and it now works:

/usr/local/bin/curl https://tlstest.paypal.com
PayPal_Connection_OK

Thank you!

Solution 2

For anyone that has CentOS 5 EOL issues connecting to APIs with newer SSL like TLS 1.2:

Setup a separate barebones linux VPS and install nginx, using proxy_pass as a two-way proxy between your box and the API endpoint.

I was able to get nginx running as a tunnel proxy in a matter of 30 minutes using this method. It doesn't matter how you connect to your VPS (I do over HTTP) and it supports all SSL cipher suites on the API end.

Here's my nginx default server:

server {
     listen 80 default_server config;
     listen [::]:80 default_server;
     access_log off;
     proxy_pass https://someAPIdomain.com;
}

That's it! Remember to restart the nginx service after changing the config. You can, of course, add additional parameters to only allow your CentOS server's IP, change the listening port, and other security/obfuscation measures if you want to.

7,908

Kevin W

Updated on September 18, 2022

Comments

Kevin W almost 2 years

I run a website on a server running Centos 5.11 - EOL now I know but an upgrade is not possible for a while. The website runs the Sellerdeck software which integrates with Paypal for payments.

In the next month or so Paypal will require me to be using TLS 1.2 [1] for connections to them, which is not supported by the default OpenSSL version installed in 5.11 (0.9.8b).

I have followed instructions [2] to install a second version of OpenSSL, and a second version of Curl linked to that new version of OpenSSL, which will support TLS 1.2, but it still doesn't pass the Paypal Test.

Centos 5.11 with OpenSSL 1.0.2k in /usr/local/:

/usr/local/bin/curl https://tlstest.paypal.com
curl: (35) Unknown SSL protocol error in connection to tlstest.paypal.com:443

Centos 6.9 with OpenSSL 1.0.1e-fips

curl https://tlstest.paypal.com
PayPal_Connection_OK

Can anyone help point me in the right direrction as to why the connection is not working with the updated OpenSSL?

Thanks very much

Kevin

1 - https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

2 - https://miteshshah.github.io/linux/centos/how-to-enable-openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/

Verbose non-working output:

/usr/local/bin/curl -Ivvv https://tlstest.paypal.com
* Rebuilt URL to: https://tlstest.paypal.com/
*   Trying 23.67.159.210...
* Connected to tlstest.paypal.com (23.67.159.210) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.0, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to tlstest.paypal.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to tlstest.paypal.com:443

Verbose working output:

curl -Ivvv https://tlstest.paypal.com
* About to connect() to tlstest.paypal.com port 443 (#0)
*   Trying 23.214.50.150... connected
* Connected to tlstest.paypal.com (23.214.50.150) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=tlstest.paypal.com,OU=CDN Support,O="PayPal, Inc.",STREET=2211 N 1st St,L=San Jose,ST=California,postalCode=95131-2021,C=US,serialNumber=3014267,businessCategory=Private     Organization,incorporationState=Delaware,incorporationCountry=US
*       start date: Nov 06 00:00:00 2015 GMT
*       expire date: Oct 26 23:59:59 2017 GMT
*       common name: tlstest.paypal.com
*       issuer: CN=Symantec Class 3 EV SSL CA - G3,OU=Symantec Trust     Network,O=Symantec Corporation,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1     zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: tlstest.paypal.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 20
Content-Length: 20
< Date: Sat, 06 May 2017 12:58:47 GMT
Date: Sat, 06 May 2017 12:58:47 GMT
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host tlstest.paypal.com left intact
* Closing connection #0