How to upgrade cURL in Centos6?

January 15, 2016 81.2k views
Networking System Tools CentOS

All my droplets run Centos 6, and I use cURL quite widely. However, as I'm updating servers to use HTTPS (and, more importantly, restricting to TLSv1) I've hit a problem - the version of cURL installed on them all is prehistoric; it's so old it doesn't recognise TLSv1.

From comments on fora, this seems to be common, but a solution isn't. Yum refuses to see a problem as there evidently isn't a distro in any of the standard repos more modern that v7.19.7. Attempting to upgrade directly with RPM by pulling down a file from e.g. the city-fan repo fails as it triggers a wave of dependency issues that I'm afraid I have no idea how to solve.

It seems bizarre that there isn't a Yum repo somewhere which has rolled up a more modern distro with all its dependencies, given how critical SSL security has become to almost all websites and how popular Centos6/RHEL is, but I'm buggered if I can find one.

Does anyone know of a suitable repo? If not, can anyone point me towards any decent advice on solving all the dependency problems (everything I've googled seems to end with "...and now rebuild cURL" :/)

15 comments
  • UPDATE

    Surprised there haven't been any responses, as this is a major issue which will, sooner rather than later, bite everyone running a CentOS 6 webserver.

    OK, solution is to found after all in the city-fan repo after all, I had just been a bit more of an idiot than usual when trying to use it earlier... Another point to note is that the University of Seville mirror is a LOT faster and more available than city-fan itself, which is apparently run off somebody's home ADSL line!

    EITHER add the repo setup file manually e.g.

    rpm -Uvh http://nervion.us.es/city-fan/yum-repo/rhel6/x86_64/city-fan.org-release-1-13.rhel6.noarch.rpm

    (adjusting for your architecture and the release number, if there is a later one)

    OR (better solution) add a new text file called /etc/yum.repos.d/city-fan.repo containing

    [CityFan]
    name=City Fan Repo
    baseurl=http://nervion.us.es/city-fan/yum-repo/rhel$releasever/$basearch/
    enabled=1
    gpgcheck=0
    

    Either way, you should then be good to go :

    yum clean all
    yum install libcurl 
    

    should update cURL to a (very) recent openSSL-based version (7.46.0 at the time of writing), which will resolve the "unknown protocol" errors for TLSv1 etc.

    You may want to then remove/rename the city-fan.repo file if you want to prevent yum later also updating other packages you may have installed with "non-official" later versions.

    Hope this helps others who will come in search of the same answers. This is a huge oops by Redhat IMHO - I have no idea why something which has become so crucial to website operation isn't now included in the official repo.

  • Oh my actual.

    I thought you'd like to know that days and days ( literally ) of troubleshooting the strangest issues affecting my use of the WPMU Membership 2 Pro plugin preventing payments to be validated using PayPals IPN validating service, but only for some accounts and not others, only to find the distinguishing feature was the PayPal server that they are hosted on, and the fact that some of those servers had been updated to take note of recent security changes [https://devblog.paypal.com/upcoming-security-changes-notice/#ipn](http://). I finally found that my version of libcurl was so outdated it that it was causing issues using these new security protocols.

    5mins after arriving on this post, fixed.

    I expect you'll see some more traffic and comments here as PayPal roll out these updates and software developers currently using http start moving to https.

  • Great to hear it was helpful. Yep, this is one that's going to run and run, I think.

  • I've run in to this issue too. Our webservers are running CentOS 6 and we've started to have issues using cURL to connect to services requiring TLS.

    Of course yum reports I'm using the latest version for my distro. I reached out to Rackspace as part of our managed service level and was met with a resounding "not supported" and linked to the main cURL page.

    After looking on there and various SO questions I soon realised I'd opened up a can of worms. The general gist seems to be that libcurl is so deeply embedded in to the system that upgrading it could break everything. The main cURL page hints at resolving these issues by installing a bunch of other libs to get around this, but I didn't understand it:

    "The version of curl and libcurl here provides libcurl.so.4, whereas many distributions include a version of curl that provides libcurl.so.3 or libcurl.so.2. This means that installing the curl and libcurl packages from this repository can break a lot of dependencies for applications linked against the older libcurl. This problem can be avoided by also installing the libcurl7155 (for libcurl.so.3) and/or libcurl7112 (for libcurl.so.2) packages, for backwards compatibility"

    I can't quite believe how difficult it is to upgrade this but am relieved to find this page after a lot of searching.

    Will the instructions provided here break applications requiring older versions of libcurl? Will it all "just work" when I do this?

    Thanks for your help and for this page!

  • Will the instructions provided here break applications requiring older versions of libcurl? Will it all "just work" when I do this?

    Now that's a question I'm afraid I can't answer - I'm not enough of a linux guru to comment usefully on that one. What you've turned up about cURL versions issues is really useful; at least if anything does break it looks like installing the versions of cURL mentioned will maintain the dependencies. It's also news to me, I'm afraid I just trusted to the powers of yum and went ahead and upgraded it!

    All I can say is that nothing seems to have broken on any of the half-dozen servers I've applied this to; they're all running asimilar load-out though (Apache, PHP 5.5, MySQL v5.5). A couple are also running BIND, Exim etc, and one of local machines is hosting VirtualBox VMs, and everything seems OK.

    I suspect that so long as you're running current versions of everything, they'll use/support the newer cURL libraries. I'd think you'd only run into broken dependency issues is you are still running old software which still has those old dependencies?

    I guess as ever experiment is required - spin up a test server with an image of a working system, apply the update and see if there are any problems. At the end of the day, we don't really have any choice but to upgrade given the TLS issue, so if you do hit any problems they're going to have to be solved sometime anyway. Maybe this is an excuse to update any other old software you're still using too?

    Good luck, do please report back if you do hit any problems and how you resolve them.

  • Show 10 more comments
6 Answers

Just glad this is helping people, having had to fight my way through it myself!

I am still astonished this hasn't blown up into a much more widely-discussed issue, as it must be breaking enormous numbers of SSL endpoints by now (Paypal merchant sites alone must be hitting this in huge numbers by now, for goodness sake, but payment providers still don't seem to be offering anything in the way of help or advice).

I also can't understand why Redhat still aren't coming to the party, as this effectively beaks every v6 installation on the planet which relies on SSL. Ah well, 'tis a strange world...

I just wanted to add a huge thank you for posting this! I've been racking my brain for a few hours between openssl, PHP and Curl versions to get this to work, and this was all I needed. I agree, this is a HUGE issue with RH/CentOS not updating Curl. So thanks again for a perfect solution to this problem.

Hello Everyone!!!

Hope someone can help me with my problem. We have a server at godaddy with CentOS 6 and install a SSL Certificate in it, but we start having problems with paypal transactions, and at godaddy recomend to update curl version following a procedure where we download a tar file, after configure and install the webpage with the certificate stop working, cause paypal and mercadopago doesn't allow transactions without ssl certificate.

At command line we start looking for the problem and when we run #yum check or #yum update it throws the next error.

"# yum check
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

libssh2.so.1: cannot open shared object file: No such file or directory

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.6.6 (r266:84292, Aug 18 2016, 15:13:37)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]

If you cannot solve this problem yourself, please go to
the yum faq at:
http://yum.baseurl.org/wiki/Faq"

i can't run yum commands but can install rpm, Any suggestion?

  • Nasty; you need to fix your yum problem before you can do anything else, suggest you consult other forums for info on how to do that - updating python is not my area of expertise I'm afraid. Once you have that sorted, hopefully the info on this page will let you solve your SSL issue. Good luck!

    • I fix my YUM problems but when i try to follow the steps mentioned i'm getting this error.

      Complements loaded:fastestmirror
      curl-7.52.1-2.0.cf.fc6.x86_64 didn't found need of libcurl = ('0', '7.52.1', '2.0.cf.fc6')

      This is my curl version
      curl 7.52.1 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.33 libssh2/1.4.2

      and i'm still getting the error at paypal of cURL error 35: Unsupported SSL protocol version

      What can i do?

yum install libcurl

---> Package libssh2-devel.x8664 0:1.8.0-7.0.cf.rhel6 will be installed
--> Finished Dependency Resolution
Error: Package: libcurl-7.60.0-1.0.cf.rhel6.x86
64 (city-fan.org)
Requires: libcrypto.so.10(OPENSSL1.0.1)(64bit)
Error: Package: libcurl-7.60.0-1.0.cf.rhel6.x86
64 (city-fan.org)
Requires: libcrypto.so.10(libcrypto.so.10)(64bit)
Error: Package: libcurl-7.60.0-1.0.cf.rhel6.x8664 (city-fan.org)
Requires: libssl.so.10(libssl.so.10)(64bit)
Error: Package: libssh2-1.8.0-7.0.cf.rhel6.x86
64 (city-fan.org)
Requires: libcrypto.so.10(libcrypto.so.10)(64bit)
Error: Package: curl-7.60.0-1.0.cf.rhel6.x86_64 (city-fan.org)
Requires: libcrypto.so.10(libcrypto.so.10)(64bit)

what's wrong?

Not sure - looks like you are failing dependency resolution for OpenSSL 1.0.1 but I'm not sure why yum can't find a repo for that - isn't it part of the RHEL base? Maybe somebody else can clarify that?

Have another answer? Share your knowledge.