Tag Archives: centos

Python 2.7 for CentOS 6

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

By default, CentOS 6 comes with Python 2.6. This is a bit outdated, especially if you take into account, that Python 2.7.11, which is the latest Python 2 release, was released in December 2015. If you are new to Pyhton, you will usually start with Python 3. Currently, Python 3.5.1 is the latest Python 3 release. So, Python 2.6 is REALLY old.

Okay, I could use another distro. Ehm… no. CentOS is the is the open-source version of Red Hat Enterprise Linux (RHEL). It was, and it is, designed to be similar to RHEL. CentOS runs only the most stable versions of packaged software. This greatly reduces the risk of crashes and errors. The downside is… Python 2.6. Or Apache 2.2. Or MySQL 5.1. Switching to CentOS 7 is difficult, because there is no inplace upgrade.

Python 2.7 for CentOS 6

In my case, I needed Python 2.7. Fortunately, this package is offered by the Software Collections ( SCL ) repository. You can install Python 2.7 with two commands.

yum install centos-release-SCL
yum install python27 python27-python-devel python27-python-setuptools python27-python-tools python27-python-virtualenv

After the successful installation of the packages, you can find the files located under /opt/rh/python27. Next step is to create a python.conf under /etc/ld.co.conf.d and run ldconfig afterwards.

[[email protected] ~]# echo "/opt/rh/python27/root/usr/lib64" > /etc/ld.so.conf.d/python27.conf
[[email protected] ~]# cat /etc/ld.so.conf.d/python27.conf
[[email protected] ~]# ldconfig

Last step is to create a symlink for the Python 2.7 binary.

[[email protected] ~]# ln -s /opt/rh/python27/root/usr/bin/python2.7 /usr/bin/python2.7

If you want to use Let’s Encrypt with CentOS 6, make sure to use Python 2.7.

Stunnel refuses to work after update

This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Yesterday I’ve updated a CentOS 6.6 VM with a simple yum update. A couple of packages were updated and to be honest: I haven’t checked which packages were updated. Today I noticed that an application, that uses a secure tunnel to connect to another application, doesn’t work. While browsing through the log files, I found this message from Stunnel.

LOG3[1145:140388919940864]: SSL_accept: 14076129: error:14076129:SSL routines:SSL23_GET_CLIENT_HELLO:only tls allowed in fips mode

I rised the debug level and restarted Stunnel. Right after the restart, I found this in the logs.

LOG5[1385:140679985747904]: stunnel is in FIPS mode
LOG5[1385:140679985747904]: stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips 11 Feb 2013

So Stunnel was working in FIPS mode. But what is FIPS and why is Stunnel using it? I recommend to read the Wikipedia article about the Federal Information Processing Standards (FIPS). To be precise, Stunnel follows FIPS 140-2. My stunnel.conf is really simple and there’s nothing configured that is, or might be related to FIPS. A short search with man -K fips led me to the stunnel man page.

 fips = yes | no
           Enable or disable FIPS 140-2 mode.

           This option allows to disable entering FIPS mode if stunnel was compiled with FIPS 140-2 support.

           default: yes

This explains a lot. FIPS is enabled by default with this version. So it was enabled with the updated Stunnel version. With FIPS enabled, only TLS can be used. More interesting: FIPS is disabled by default with beginning of version 5.0. But I’m running version 4.29. So I had two options to get rid of this error:

  • Disable FIPS
  • Enable TLS

To disable FIPS, you have to add the following line to the stunnel.conf on the server-side:

fips = off

You can have FIPS enabled when you enforce the use of TLS. In my case, I added the following line on the server- and client-side:

sslVersion = TLSv1

After a restart of Stunnel on the server-side, the connection began to work again.