[CentOS] Apache/PHP Installation - opinions
Alice Wonder
alice at domblogger.net
Wed Apr 27 07:50:26 UTC 2016
On 04/27/2016 12:41 AM, Alice Wonder wrote:
> On 04/27/2016 12:30 AM, James Hogarth wrote:
> *snip*
>>
>> Unless you have a very specific requirement for a very bleeding edge
>> feature it's fundamentally a terrible idea to move away from the
>> distribution packages in something as exposed as a webserver ...
>
> I use to believe that.
>
> However I no longer.
>
> First of all, advancements in TLS happen too quickly.
>
> The RHEL philosophy of keeping API stability for as long as the release
> is supported means you end up running old protocols and old cipher
> suites and don't have the new protocols and cipher suites available.
>
> That's a problem.
>
> With respect to Apache and PHP -
>
> There is a lot of benefit to HTTP/2 but you can't get that with the
> stock Apache in RHEL / CentOS 7. You just can't.
>
> The PHP in stock RHEL / CentOS is so old that web application developers
> largely are not even using it anymore, resulting in some web
> applications that just simply don't work unless you update the PHP to
> something more modern.
>
> It's a nice idealistic philosophy to want to keep the same versions and
> backport security fixes and keep everything API compatible but in real
> world practice, it makes your server stale.
Another example outside of LAMP
Postfix -
The postfix that ships with CentOS 7 does not have the ability to
enforce DANE.
If you are not sure what that is -
On mt DNS server, I can (and do) post a fingerprint of the TLS keys used
by my smtp server.
When other mail servers want to send an e-mail to my server, they can do
a DNS query and if I have a DANE record, then they can require that that
the TLS connection they make to my SMTP server uses a certificate with a
fingerprint that matches.
That is the only reliable way to avoid MITM with SMTP.
It's easy to set up in postfix -
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
But with the postfix that comes with CentOS 7 - it is too old for that,
so Postfix with CentOS 7 will never even try to verify the TLS
certificate of the servers it connects to.
It's a stale version of postfix and people running postfix on CentOS 7
should use a newer version.
More information about the CentOS
mailing list