Despite advancements, some people continue using outdated operating systems. In the security industry, it's common to encounter clients who rely on legacy systems, making it essential to ensure software compatibility with these older environments. Recently, the need to test a Python script on CentOS 7 highlighted the challenges of working with discontinued systems.
Locating a CentOS 7 ISO should be straightforward, but with Red Hat discontinuing CentOS, official download links are no longer functional. Fortunately, an ISO was found on CentOS Buildlogs, allowing for the setup of a minimal CentOS 7 VM.
Once CentOS 7 is up and running, the task of installing Python 3 reveals more complex issues.
CentOS 7 is no longer supported, and as a result, the yum package manager couldn't locate the necessary mirror list because the site http://mirrorlist.centos.org is no longer available.
Although the required packages are still hosted at vault.centos.org, CentOS 7’s outdated SSL libraries are incompatible with the vault's TLS requirements, preventing a direct connection.
To circumvent this issue, a reverse proxy was established using HAProxy on a separate machine to serve the packages over plain HTTP. The following HAProxy configuration was employed:frontend centos-vault-front mode http bind *:8180 default_backend centos-vault-backbackend centos-vault-back server vault vault.centos.org:443 ssl check verify none sni str(vault.centos.org) http-request set-header host vault.centos.org option tcp-check tcp-check connect
Key configuration points include:
verify none to bypass SSL certificate verification.sni str(vault.centos.org) to ensure the correct hostname is specified in the TLS request, necessary because the vault server hosts multiple sites on the same IP.tcp-check avoids compatibility issues with the default HTTP check method.With the proxy operational, yum was reconfigured on the CentOS 7 VM to utilize it. This required commenting out the mirrorlist and specifying the baseurl instead:
sed -i 's|^mirrorlist=|#mirrorlist=|' /etc/yum.repos.d/*.repo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://192.168.100.1:8180|' /etc/yum.repos.d/*.repo
Note: The IP address 192.168.100.1 should be replaced with the actual IP of the HAProxy machine.
To ensure compatibility with secure web services, it's critical to upgrade ca-certificates, curl, openssl, and python. These updates address issues with outdated TLS protocols that would otherwise block access to many modern websites.
Navigating legacy systems like CentOS 7 can be challenging, but with the right strategies and tools, they can remain functional. The setup of a reverse proxy allowed continued access to essential packages, ensuring that software remains compatible across various environments.