CentOS - Oct 2021 - Version of curl does not support session resumption

Hi,

we have a CentOS7 Server running that pushes some Backups via FTP onto another
server. We switches the FTP-Server for a new one that works very well. One new
thing is that FTPS session resumption is now mandetory and cannot be turned off
since it is an important security feature.

Unfortunately the version of curl on the system does not yet support it. This is
the version installed on the system:
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7
libidn/1.28 libssh2/1.8.0

I have discussed this on the curl mailing list and they said the version is from
2013 and we should update to a new version of curl.

Is curl going to be updated to support ftps session resumption in the near
future? If not: What would be the best way to get a newer version onto the
system?


Kind Regards
Joscha

On Thu, 28 Oct 2021 at 10:28, Joscha Knobloch <Joscha.Knobloch at brm.de>
wrote:
>
> Hi,
>
> we have a CentOS7 Server running that pushes some Backups via FTP onto
another server. We switches the FTP-Server for a new one that works very well.
One new thing is that FTPS session resumption is now mandetory and cannot be
turned off since it is an important security feature.
>
> Unfortunately the version of curl on the system does not yet support it.
This is the version installed on the system:
> curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7
libidn/1.28 libssh2/1.8.0
>
> I have discussed this on the curl mailing list and they said the version is
from 2013 and we should update to a new version of curl.
>
> Is curl going to be updated to support ftps session resumption in the near
future? If not: What would be the best way to get a newer version onto the
system?
Enterprise Linux and other Long Time Support distributions are usually
very strict on updating packages which are in scripts. CentOS-7 is
based on Red Hat Enterprise Linux 7 which was released in 2014 and had
its last package set updated in 2020 with the release of 7.9. All
changes til its end of life in 2024 will be security fixes or other
critical fixes.

Normally to get a newer package like this you will want to compile the
version you want in /usr/local/ or some /opt/ tree directory to a)
make sure it doesn't break existing tools but b) is available for
scripts.



-- 
Stephen J Smoogen.
I've seen things you people wouldn't believe. Flame wars in
sci.astro.orion. I have seen SPAM filters overload because of Godwin's
Law. All those moments will be lost in time... like posts on a BBS...
time to shutdown -h now.

Hello Joscha,

Am 2021-10-28 16:30, schrieb Joscha Knobloch:
> 
> Is curl going to be updated to support ftps session resumption in the
> near future? If not: What would be the best way to get a newer version
> onto the system?
the point of RHEL / CentOS is to provide stability, so packages are 
generally
not updated to newer versions. So cURL for CentOS 7 will remain as is.

It's fairly simple to build yourself a newer cURL binary though:

$ wget 
https://github.com/curl/curl/releases/download/curl-7_79_1/curl-7.79.1.tar.gz
$ tar xzf curl-7.79.1.tar.gz
$ cd curl-7.79.1
$ ./configure --with-openssl
$ make
$ src/curl -V
curl 7.79.1 (x86_64-pc-linux-gnu) libcurl/7.79.1 OpenSSL/1.0.2k-fips 
zlib/1.2.7 zstd/1.5.0 libidn2/2.3.0 OpenLDAP/2.4.44
Release-Date: 2021-09-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap 
ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IDN IPv6 Largefile libz 
NTLM NTLM_WB SSL UnixSockets zstd

You can use a packager such as togo to roll your own RPM:
https://github.com/genereese/togo

Alternatively, you can just put the new binary into /usr/local/bin, 
update
your scripts to use that curl instead of the one in /usr/bin and call it 
a day.

Remember though, using your own cURL means you will no longer get 
security updates,
so you may want to subscribe to their mailing-list to get notified when 
an update
is recommended.

Kind regards,
   Steve