2

I am trying to build curl on my RHEL 6.x box as the existing version does not support TLSv1.2. However, no matter what option I select, it always ends up with the following error :

configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls....

The options I have attempted are 

./configure --with-ssl
./configure --with-ssl=/usr/bin/openssl
./configure --with-nss
./configure --with-gnutls

I have also attempted to download and build nss and openssl but that did not help either.

souser
  • 187
  • 1
  • 3
  • 8
  • Which major RHEL release and are the equivalent `-devel` packages installed for openssl, nss and/or gnutls? – HBruijn Aug 31 '16 at 16:16
  • 1
    That's confusing. Are you sure your system is up to date? On my Scientific Linux 6.7 system, curl 7.19.7, supplied by RHEL, supports the `--tlsv1.2` flag. What does `curl --help | grep tls` show you? `curl --version` says it includes these libraries: `curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2`. – Stefan Lasiewski Aug 31 '16 at 16:33
  • It supports only tlsv1 curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.3.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz – souser Aug 31 '16 at 16:51
  • 1
    If you really want to build curl locally, you might need to install NSS locally first because the system NSS itself may not support tls1.2. Then use `--without-ssl --with-nss=~youruser/lib/nss` per https://curl.haxx.se/docs/install.html . But be warned, compiling your own software in this way can lead you down a rathole. The best, most maintainable solution is for your Unix team to simply update curl and NSS via `yum update`. To me, it looks like your `curl` and `nss` packages are out of date, which is why you're having problems in the first place. – Stefan Lasiewski Aug 31 '16 at 17:47
  • 1
    @Stefan, I agree thats its not the simplest thing to do. I have been struggling for a while now. I have already attempted your suggestion but will retry later today. Thanks for your help. – souser Aug 31 '16 at 18:59
  • You might want to try the rpm2cpio method described at https://unix.stackexchange.com/questions/73653/installing-a-package-locally-to-a-user-best-practices . I've done this a few times, but it was a little tricky. – Stefan Lasiewski Aug 31 '16 at 20:54

1 Answers1

7

You should not need to build your own curl version, support for TLS 1.1 & 1.2 (with the --tlsv1.1 resp. --tlsv1.2 commandline switches) has been backported and became available in 2014 from curl version 7.19.7-43 of the RHEL 6 rpm package.

Please read this Q&A how version numbers for software stay the same in Red Hat major releases, despite the bugfixes that get applied, or sometimes as in the case of curl, despite new features getting added (and why you should patch RHEL (and derivatives such CentOS) systems.)

Every official RHEL 6 package for curl will say curl --version = 7.19.7, it's about the release, as displayed in yum info curl and rpm -q --changelog curl; anything beyond 43.el6 ought to support TLS 1.2.

Despite the fact the curl man page says that the --tlsv1.2 option was only introduced in curl 7.34, in Red Hat's curl 7.19 both TLS v1.1 and v1.2 are available.

Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 2
    The RHEL 6.x that I have comes with curl 7.19.7. However, that version of curl only supports TLSv1. If I attempt to connect to a server with TLSv1.2, it fails. Unfortunately, the Unix team is not willing to patch the systems. I am trying to resolve this issue by building curl and hence this post. – souser Aug 31 '16 at 16:50
  • curl --help shows only tlsv1. When I try to access a site which is on TLSv1.2 I receive error "SSL connect error". When I attempt to use "--tlsv1.2" I receive error "option --tlsv1.2: is unknown". Is there anything else I should try ? – souser Aug 31 '16 at 18:55
  • yum info curl shows Release : 37.el6_4 – souser Aug 31 '16 at 18:56
  • 1
    So your IT department has not patched their Linux servers since February 2013 when RHEL 6.4 was bundled. Even if your IT department had been paying for *extended* support, that has also run out. As Stefan already commented odds are you need to create an almost complete custom build environment to successfully build curl from source. The only silver lining is that with their current practices that nobody there will expect you to maintain that after it has been set up.... – HBruijn Aug 31 '16 at 19:40