cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: How to permanently disable ciphers in curl command line.

From: Ray Satiro via curl-users <curl-users_at_cool.haxx.se>
Date: Mon, 18 Jul 2016 00:37:53 -0400

On 7/17/2016 2:06 PM, Spork Schivago wrote:
> I was more interested in system wide, not so much user wide. I know
> certain ciphers are weak and I was trying to harden my system a bit
> and I thought if I could prevent users from using weak ciphers all
> together, that'd be great. Right now, I'm the only user so maybe
> just disabling it in my .curlrc file will be enough.

curlrc is the best you're going to get with curl. If you mean disable
RC4 globally in NSS for every program that uses it then you're asking in
the wrong place (and I don't know how to do it except rebuild NSS).

>
> I also noticed packages are old with this VPS. I have the epel
> repository and that provides newer software for certain packages and
> gives me packages I don't normally have in my repository, like
> chkrootkit. The chkrootkit's latest version is 0.50 and that was
> released in 2014 I believe. Epel gives me access to version 0.49 so
> it's still a bit outdated.
>
> I don't know a lot about CentOS but I'm learning. I see the latest
> version of curl is 7.49.1. I'm running 7.19.7. I didn't realize
> the latest version of curl in the default repositories was so ancient.
> I'm tempted to try enabling this city-fan.org <http://city-fan.org>
> repo to pull in much more recent versions of stuff like OpenSSL, curl,
> etc. I found a website describing how to do this:
>
> https://www.digitalocean.com/community/questions/how-to-upgrade-curl-in-centos6
>
> It's a tough decision though. I'm afraid it might break stuff and
> because the server has cPanel / WHM, I can't really setup CentOS 6 on
> a system at my home and try it there. I pay GoDaddy 10$ extra a
> month for the cPanel / WHM stuff. If I were to purchase it myself,
> I'd have to pay around 200$ a year. I don't want to pay that just to
> set it up on a home system to see if updating curl / libcurl on CentOS
> 6 using the city-fan.org <http://city-fan.org> repo will break anything.
>
> In the article, they discuss disabling the repo after installing the
> newer version of curl, but I think I'd leave it enabled, so yum can
> always pull in the newest versions.

RedHat does maintain its packaged version but I'm pretty sure it's only
for major stuff like security fixes. If you can use the latest version
then go for it. Paul Howarth of city-fan has been contributing builds
for a while (Thanks Paul!), he is on the curl download page in the
RedHat section. If you go to the curl packages on his website [1] you
will see there is a warning at the top about dependency break and a
workaround for that. I've CC'd him in case he has anything to add.

Also, it could help that GoDaddy allows you to take snapshots.. but it's
not exactly fluid to restore, you basically need to create a new vps to
restore I think.. you might want to look into that.

[1]: http://mirror.city-fan.org/ftp/contrib/sysutils/Mirroring/

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-07-18