curl-users
Re: How to permanently disable ciphers in curl command line.
Date: Mon, 18 Jul 2016 13:48:31 -0400
Good to go. I'm going to go for installing a later version. For the
curlrc stuff, maybe I could just put it in the skeleton directory and make
sure users don't have write access. If they need something changed, I can
change it. Thanks for all the help.
I'll work on upgrading curl but I'll do a backup first. They can take a
little bit of time but that way, if anything breaks, I can easily go back
to a working system.
Thanks!
On Mon, Jul 18, 2016 at 12:37 AM, Ray Satiro <raysatiro_at_yahoo.com> wrote:
> On 7/17/2016 2:06 PM, Spork Schivago wrote:
>
> I was more interested in system wide, not so much user wide. I know
> certain ciphers are weak and I was trying to harden my system a bit and I
> thought if I could prevent users from using weak ciphers all together,
> that'd be great. Right now, I'm the only user so maybe just disabling it
> in my .curlrc file will be enough.
>
>
> curlrc is the best you're going to get with curl. If you mean disable RC4
> globally in NSS for every program that uses it then you're asking in the
> wrong place (and I don't know how to do it except rebuild NSS).
>
>
> I also noticed packages are old with this VPS. I have the epel
> repository and that provides newer software for certain packages and gives
> me packages I don't normally have in my repository, like chkrootkit. The
> chkrootkit's latest version is 0.50 and that was released in 2014 I
> believe. Epel gives me access to version 0.49 so it's still a bit
> outdated.
>
> I don't know a lot about CentOS but I'm learning. I see the latest
> version of curl is 7.49.1. I'm running 7.19.7. I didn't realize the
> latest version of curl in the default repositories was so ancient. I'm
> tempted to try enabling this city-fan.org repo to pull in much more
> recent versions of stuff like OpenSSL, curl, etc. I found a website
> describing how to do this:
>
>
> https://www.digitalocean.com/community/questions/how-to-upgrade-curl-in-centos6
>
> It's a tough decision though. I'm afraid it might break stuff and
> because the server has cPanel / WHM, I can't really setup CentOS 6 on a
> system at my home and try it there. I pay GoDaddy 10$ extra a month for
> the cPanel / WHM stuff. If I were to purchase it myself, I'd have to pay
> around 200$ a year. I don't want to pay that just to set it up on a home
> system to see if updating curl / libcurl on CentOS 6 using the
> city-fan.org repo will break anything.
>
> In the article, they discuss disabling the repo after installing the newer
> version of curl, but I think I'd leave it enabled, so yum can always pull
> in the newest versions.
>
>
> RedHat does maintain its packaged version but I'm pretty sure it's only
> for major stuff like security fixes. If you can use the latest version then
> go for it. Paul Howarth of city-fan has been contributing builds for a
> while (Thanks Paul!), he is on the curl download page in the RedHat
> section. If you go to the curl packages on his website [1] you will see
> there is a warning at the top about dependency break and a workaround for
> that. I've CC'd him in case he has anything to add.
>
> Also, it could help that GoDaddy allows you to take snapshots.. but it's
> not exactly fluid to restore, you basically need to create a new vps to
> restore I think.. you might want to look into that.
>
>
> [1]: http://mirror.city-fan.org/ftp/contrib/sysutils/Mirroring/
>
>
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-07-18