Redhat – How to build curl for TLSv1.2 support

curlredhatrhel6

I am trying to build curl on my RHEL 6.x box as the existing version does not support TLSv1.2. However, no matter what option I select, it always ends up with the following error :

configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls....

The options I have attempted are

./configure --with-ssl
./configure --with-ssl=/usr/bin/openssl
./configure --with-nss
./configure --with-gnutls

I have also attempted to download and build nss and openssl but that did not help either.

Best Answer

You should not need to build your own curl version, support for TLS 1.1 & 1.2 (with the --tlsv1.1 resp. --tlsv1.2 commandline switches) has been backported and became available in 2014 from curl version 7.19.7-43 of the RHEL 6 rpm package.

Please read this Q&A how version numbers for software stay the same in Red Hat major releases, despite the bugfixes that get applied, or sometimes as in the case of curl, despite new features getting added (and why you should patch RHEL (and derivatives such CentOS) systems.)

Every official RHEL 6 package for curl will say curl --version = 7.19.7, it's about the release, as displayed in yum info curl and rpm -q --changelog curl; anything beyond 43.el6 ought to support TLS 1.2.

Despite the fact the curl man page says that the --tlsv1.2 option was only introduced in curl 7.34, in Red Hat's curl 7.19 both TLS v1.1 and v1.2 are available.

Related Solutions

Redhat – How to install Phusion Passenger using RVM on Rackspace server

I had to install Passenger (specifically mod_passenger) and here's how I did it. My environment is CentOS 6, x86_64.

Install required rpms

yum install httpd httpd-devel openssl-devel mod_ssl

Add EPEL repo. Remember to edit /etc/yum.repos.d/epel.repo and disable it by setting enabled to 0. Actual source for epel-release-6-5.noarch.rpm will not be from fedoraproject.org/... as you will actually be hitting a mirror server.
```
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
rpm -ivh epel-release-6-5.noarch.rpm
```
Set up to use yum repo at stealthymonkeys.com which hosts rpms for passenger. Installs mod_passenger which requires epel repo for some dependent rpms.
```
rpm -Uvh http://passenger.stealthymonkeys.com/rhel/6/passenger-release.noarch.rpm
```

Install mod_passenger using the following command.

yum   --enablerepo=epel  --enablerepo=passenger  install mod_passenger

Not able to provide better answer as I don't know your environment but hopefully this will help.

Linux – NTLM with cURL returns 401

I am not really sure why, but while my 7.22 version shouldn't be affected by the whole NTLM issue, it seems that it is.

The only solution seems to be to use an old (<7.19, I tried with 7.15) version or to use a new version (I tried 7.26). As said, I cannot downgrade or upgrade libcurl itself just for this feature. This means we need to find a workaround....

Workaround used (warning: hack coming up)

Download and compile the curl you wish to use. I did NOT do this as root // sudo this because I don't want to replace the current libcurl etc!
```
wget http://curl.haxx.se/download/curl-7.26.0.zip
./configure --prefix=/local_path/
make
make install
```
Test the new curl command we just compiled: it does give the 401, but then instead of the gss_init_sec_context() you should see it going to an (in the end) 302. This is winning.
The hack part: use this libcurl when calling your script. We are working with a 3rd party PHP "app" (one of the reasons I'm not happy about changing all curl libs), and instead of directly calling this, we make an ugly-but-working wrapper, that calls something like this:
```
$se = shell_exec("LD_LIBRARY_PATH=/local_path/lib php /path/3rdparty.php");
```

Yes, this has drawbacks, and yes this is bit of a skeleton example (meaning you probably want to add some things like maybe the original path for instance) but the basics are kinda there.

Not really proud of this, but I think more people are restrained by the fact they cannot just go and update their libcurl to a random version and are using some sort of plugin that uses e.g. php-ews, or anything build on the NTLMSoapClient.

I hope there is another option down the line, but as this is currently the only way to get it 'working' I thought I'd share.

Best Answer

Related Solutions

Redhat – How to install Phusion Passenger using RVM on Rackspace server

Linux – NTLM with cURL returns 401

Related Topic