Need to migrate to TLS 1.2

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Need to migrate to TLS 1.2

Jerad Hoff-2
Howdy,

I volunteer for a non-profit that has an old Mac mini running 10.6 Server and LP 8.5 on it. We’re big users of Twilio and they announced today that starting next month they will only accept SSL connections that support TLS 1.2.

Bummer for me.

[Include_URL] doesn’t support TLS 1.2 I guess, so I tried the [OS_PROCESS] route only to discover this is an OS issue as well, openSSL (version 0.9.8y) and curl (7.19.7) are also outdated and don’t support TLS 1.2.

Does anyone know what version of the MacOS started supporting TLS 1.2? This thing is the email server, web server, file server, you name it. The idea of trying to jump from 10.6 to 10.11 is giving me nightmares (not to mention the server version for 10.11 appears to remove several functions from the server software, requiring some sort of migration and LP 8.5 apparently takes some hacking to work on this version).

Since Twilio isn’t giving us much time, I’m hoping to band-aid the server for now until it can be replaced. Can I update OpenSSL and CURL on this 10.6 machine without breaking anything? I found instructions to download and compile OpenSSL:

http://foodpicky.com/?p=99 <http://foodpicky.com/?p=99>

Once that’s updated, I presume I can update curl as well (if I need to):

1. Download curl sources: https://curl.haxx.se/download/curl-7.20.0.tar.gz
2. Unarchive the zip file somewhere
3. Open a Terminal window and go to the directory containing curl sources
4. Type: CFLAGS=-m64 ./configure
5. Type: make
6. Type: sudo make install

Has anyone tried anything like this? We do use a couple of SSL certificates with the web server, will this break them?

Any help or ideas are appreciated!

Thanks,

  - Jerad




#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Need to migrate to TLS 1.2

stevepiercy
From:
https://en.wikipedia.org/wiki/Transport_Layer_Security#cnote_c_grp_protocollibrary-table

     TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS
X 10.9 and
     later.

However...

You cannot use include_url in Lasso 8.6.x and have TLS v1.2.

http://lasso.2283332.n4.nabble.com/Lasso-8-6-3-and-TLS-1-2-tt4644921.html
http://www.lassosoft.com/rhinotrac?id=8010

You must shell out and call curl.  You can see an example
implementation in my AuthorizeNet_AIM tag.

https://github.com/stevepiercy/AuthorizeNet_AIM

On top of that, macOS 10.12.6 is borked for TLS v1.2, but I
provided a workaround.

https://github.com/stevepiercy/AuthorizeNet_AIM/issues/5

If you need to install packages, use Homebrew.  Building from
source is usually unnecessary.

https://brew.sh/

--steve


On 5/10/18 at 1:00 AM, [hidden email] (Jerad Hoff) pronounced:

>Howdy,
>
>I volunteer for a non-profit that has an old Mac mini running
>10.6 Server and LP 8.5 on it. We’re big users of Twilio and
>they announced today that starting next month they will only
>accept SSL connections that support TLS 1.2.
>
>Bummer for me.
>
>[Include_URL] doesn’t support TLS 1.2 I guess, so I tried the
>[OS_PROCESS] route only to discover this is an OS issue as
>well, openSSL (version 0.9.8y) and curl (7.19.7) are also
>outdated and don’t support TLS 1.2.
>
>Does anyone know what version of the MacOS started supporting
>TLS 1.2? This thing is the email server, web server, file
>server, you name it. The idea of trying to jump from 10.6 to
>10.11 is giving me nightmares (not to mention the server
>version for 10.11 appears to remove several functions from the
>server software, requiring some sort of migration and LP 8.5
>apparently takes some hacking to work on this version).
>
>Since Twilio isn’t giving us much time, I’m hoping to
>band-aid the server for now until it can be replaced. Can I
>update OpenSSL and CURL on this 10.6 machine without breaking
>anything? I found instructions to download and compile OpenSSL:
>
>http://foodpicky.com/?p=99 <http://foodpicky.com/?p=99>
>
>Once that’s updated, I presume I can update curl as well (if I need to):
>
>1. Download curl sources: https://curl.haxx.se/download/curl-7.20.0.tar.gz
>2. Unarchive the zip file somewhere
>3. Open a Terminal window and go to the directory containing curl sources
>4. Type: CFLAGS=-m64 ./configure
>5. Type: make
>6. Type: sudo make install
>
>Has anyone tried anything like this? We do use a couple of SSL
>certificates with the web server, will this break them?
>
>Any help or ideas are appreciated!
>
>Thanks,
>
>- Jerad
>
>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Eugene, OR
<[hidden email]>               <http://www.stevepiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Need to migrate to TLS 1.2

Bil Corry-3
Now that TLS 1.3 is available, with speed and security improvements, it's
likely upgrading will be required again in the not-so-distant future.


- Bil


On Thu, May 10, 2018 at 2:35 AM, Steve Piercy - Website Builder <
[hidden email]> wrote:

> From:
> https://en.wikipedia.org/wiki/Transport_Layer_Security#cnote
> _c_grp_protocollibrary-table
>
>     TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS X 10.9 and
>     later.
>
> However...
>
> You cannot use include_url in Lasso 8.6.x and have TLS v1.2.
>
> http://lasso.2283332.n4.nabble.com/Lasso-8-6-3-and-TLS-1-2-tt4644921.html
> http://www.lassosoft.com/rhinotrac?id=8010
>
> You must shell out and call curl.  You can see an example implementation
> in my AuthorizeNet_AIM tag.
>
> https://github.com/stevepiercy/AuthorizeNet_AIM
>
> On top of that, macOS 10.12.6 is borked for TLS v1.2, but I provided a
> workaround.
>
> https://github.com/stevepiercy/AuthorizeNet_AIM/issues/5
>
> If you need to install packages, use Homebrew.  Building from source is
> usually unnecessary.
>
> https://brew.sh/
>
> --steve
>
>
> On 5/10/18 at 1:00 AM, [hidden email] (Jerad Hoff) pronounced:
>
>
> Howdy,
>>
>> I volunteer for a non-profit that has an old Mac mini running 10.6 Server
>> and LP 8.5 on it. We’re big users of Twilio and they announced today that
>> starting next month they will only accept SSL connections that support TLS
>> 1.2.
>>
>> Bummer for me.
>>
>> [Include_URL] doesn’t support TLS 1.2 I guess, so I tried the
>> [OS_PROCESS] route only to discover this is an OS issue as well, openSSL
>> (version 0.9.8y) and curl (7.19.7) are also outdated and don’t support TLS
>> 1.2.
>>
>> Does anyone know what version of the MacOS started supporting TLS 1.2?
>> This thing is the email server, web server, file server, you name it. The
>> idea of trying to jump from 10.6 to 10.11 is giving me nightmares (not to
>> mention the server version for 10.11 appears to remove several functions
>> from the server software, requiring some sort of migration and LP 8.5
>> apparently takes some hacking to work on this version).
>>
>> Since Twilio isn’t giving us much time, I’m hoping to band-aid the server
>> for now until it can be replaced. Can I update OpenSSL and CURL on this
>> 10.6 machine without breaking anything? I found instructions to download
>> and compile OpenSSL:
>>
>> http://foodpicky.com/?p=99 <http://foodpicky.com/?p=99>
>>
>> Once that’s updated, I presume I can update curl as well (if I need to):
>>
>> 1. Download curl sources: https://curl.haxx.se/download/
>> curl-7.20.0.tar.gz
>> 2. Unarchive the zip file somewhere
>> 3. Open a Terminal window and go to the directory containing curl sources
>> 4. Type: CFLAGS=-m64 ./configure
>> 5. Type: make
>> 6. Type: sudo make install
>>
>> Has anyone tried anything like this? We do use a couple of SSL
>> certificates with the web server, will this break them?
>>
>> Any help or ideas are appreciated!
>>
>> Thanks,
>>
>> - Jerad
>>
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Eugene, OR
> <[hidden email]>               <http://www.stevepiercy.com/>
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Need to migrate to TLS 1.2

Jerad Hoff-2
In reply to this post by stevepiercy
I looked at homebrew to upgrade OpenSSL and CURL, unfortunately you can’t install homebrew using the current version of CURL/OpenSSL. The ruby command on their website assumes you have a current version of CURL running (they have a help page which states to use a --insecure flag, but it doesn’t work). Chicken meet egg.

I’ve got the custom “SHELL” tag working just fine, so once I figure out CURL/OpenSSL I should be OK. I just can’t seem to figure that part out. I’m looking at downloading and compiling OpenSSL manually, but 10.6 stores OpenSSL in a custom location, I suspect I’ll get all messed up trying to put the upgrade CURL to the newer OpenSSL version.

Turns out XCODE was never installed on this old machine, so I’m downloading XCODE 3.2.6 now (which is purported to be the version for OS X 10.6). Wish me luck.

Thanks for the response!

  - Jerad

> On May 10, 2018, at 2:35 AM, Steve Piercy - Website Builder <[hidden email]> wrote:
>
> From:
> https://en.wikipedia.org/wiki/Transport_Layer_Security#cnote_c_grp_protocollibrary-table
>
>    TLS 1.1 and 1.2 are available on iOS 5.0 and later, and OS X 10.9 and
>    later.
>
> However...
>
> You cannot use include_url in Lasso 8.6.x and have TLS v1.2.
>
> http://lasso.2283332.n4.nabble.com/Lasso-8-6-3-and-TLS-1-2-tt4644921.html
> http://www.lassosoft.com/rhinotrac?id=8010
>
> You must shell out and call curl.  You can see an example implementation in my AuthorizeNet_AIM tag.
>
> https://github.com/stevepiercy/AuthorizeNet_AIM
>
> On top of that, macOS 10.12.6 is borked for TLS v1.2, but I provided a workaround.
>
> https://github.com/stevepiercy/AuthorizeNet_AIM/issues/5
>
> If you need to install packages, use Homebrew.  Building from source is usually unnecessary.
>
> https://brew.sh/
>
> --steve
>
>
> On 5/10/18 at 1:00 AM, [hidden email] (Jerad Hoff) pronounced:
>
>> Howdy,
>>
>> I volunteer for a non-profit that has an old Mac mini running 10.6 Server and LP 8.5 on it. We’re big users of Twilio and they announced today that starting next month they will only accept SSL connections that support TLS 1.2.
>>
>> Bummer for me.
>>
>> [Include_URL] doesn’t support TLS 1.2 I guess, so I tried the [OS_PROCESS] route only to discover this is an OS issue as well, openSSL (version 0.9.8y) and curl (7.19.7) are also outdated and don’t support TLS 1.2.
>>
>> Does anyone know what version of the MacOS started supporting TLS 1.2? This thing is the email server, web server, file server, you name it. The idea of trying to jump from 10.6 to 10.11 is giving me nightmares (not to mention the server version for 10.11 appears to remove several functions from the server software, requiring some sort of migration and LP 8.5 apparently takes some hacking to work on this version).
>>
>> Since Twilio isn’t giving us much time, I’m hoping to band-aid the server for now until it can be replaced. Can I update OpenSSL and CURL on this 10.6 machine without breaking anything? I found instructions to download and compile OpenSSL:
>>
>> http://foodpicky.com/?p=99 <http://foodpicky.com/?p=99>
>>
>> Once that’s updated, I presume I can update curl as well (if I need to):
>>
>> 1. Download curl sources: https://curl.haxx.se/download/curl-7.20.0.tar.gz
>> 2. Unarchive the zip file somewhere
>> 3. Open a Terminal window and go to the directory containing curl sources
>> 4. Type: CFLAGS=-m64 ./configure
>> 5. Type: make
>> 6. Type: sudo make install
>>
>> Has anyone tried anything like this? We do use a couple of SSL certificates with the web server, will this break them?
>>
>> Any help or ideas are appreciated!
>>
>> Thanks,
>>
>> - Jerad
>>
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy              Website Builder              Eugene, OR
> <[hidden email]>               <http://www.stevepiercy.com/>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>