[CentOS] Apache/PHP Installation - opinions

Wed Apr 27 07:50:26 UTC 2016
Alice Wonder <alice at domblogger.net>

On 04/27/2016 12:41 AM, Alice Wonder wrote:
> On 04/27/2016 12:30 AM, James Hogarth wrote:
> *snip*
>>
>> Unless you have a very specific requirement for a very bleeding edge
>> feature it's fundamentally a terrible idea to move away from the
>> distribution packages in something as exposed as a webserver ...
>
> I use to believe that.
>
> However I no longer.
>
> First of all, advancements in TLS happen too quickly.
>
> The RHEL philosophy of keeping API stability for as long as the release
> is supported means you end up running old protocols and old cipher
> suites and don't have the new protocols and cipher suites available.
>
> That's a problem.
>
> With respect to Apache and PHP -
>
> There is a lot of benefit to HTTP/2 but you can't get that with the
> stock Apache in RHEL / CentOS 7. You just can't.
>
> The PHP in stock RHEL / CentOS is so old that web application developers
> largely are not even using it anymore, resulting in some web
> applications that just simply don't work unless you update the PHP to
> something more modern.
>
> It's a nice idealistic philosophy to want to keep the same versions and
> backport security fixes and keep everything API compatible but in real
> world practice, it makes your server stale.

Another example outside of LAMP

Postfix -

The postfix that ships with CentOS 7 does not have the ability to 
enforce DANE.

If you are not sure what that is -

On mt DNS server, I can (and do) post a fingerprint of the TLS keys used 
by my smtp server.

When other mail servers want to send an e-mail to my server, they can do 
a DNS query and if I have a DANE record, then they can require that that 
the TLS connection they make to my SMTP server uses a certificate with a 
fingerprint that matches.

That is the only reliable way to avoid MITM with SMTP.

It's easy to set up in postfix -

smtp_dns_support_level = dnssec
smtp_host_lookup = dns

But with the postfix that comes with CentOS 7 - it is too old for that, 
so Postfix with CentOS 7 will never even try to verify the TLS 
certificate of the servers it connects to.

It's a stale version of postfix and people running postfix on CentOS 7 
should use a newer version.