Hi,
On 31/05/21 13:01, Michael McKenney wrote:
My wordpress servers are under constant attack. My Fortinet 60E
firewall logs are filled. Openssl is constantly reported on The
Hacker News and other sites. So I don’t need to worry about
upgrading OpenSSL in the future to 1.1.1k or above? I can just use
what the distro has to offer by apt? Ubuntu 20.04 started with
1.1.1f. My Kali server is mainly used for Try Hack Me challenges
and learn cyber security.
if you use an LTS distro then you can trust the distro makers - if not,
then there are thousands of servers out there that are vulnerable ;)
I run several public Wordpress sites on CentOS 7 and have locked them
down quite rigorously - I have not had any breakins for the past 7 years
or so, whilst relying fully on the RH/CentOS-supplied openssl library.
HTH,
JJK
*From:*Jan Just Keijser <janj...@nikhef.nl>
*Sent:* Monday, May 31, 2021 5:55 AM
*To:* Michael McKenney <mike.mcken...@scsiraidguru.com>;
openssl-users@openssl.org
*Subject:* Re: Why can't we get a proper installation method to keep
OpenSSL at the latest revision for Linux?
On 30/05/21 14:05, Michael McKenney wrote:
Why can't we get a proper installation method to keep OpenSSL at
the latest revision for Linux?
My biggest compliant with Linux is it is so difficult to get best
practice installations for services like OpenSSL. Ubuntu is still
on 1.1.1f. I have been trying to upgrade to 1.1.1k. Openssl
version -a states I am on 1.1.1k. When programs in Wordpress that
use OpenSSL show I am using 1.1.1.f. Spending hours of time on
various sites like AskUbuntu.com, only to be disappointed.
Microsoft has best practices guides for installations. Why can’t
we get them for Linux.
this is both very hard and undesirable:
openssl can be regarded as a low-level system library that is used by
many applications across the entire Linux distribution. You cannot
simply upgrade this low-level system library without breaking these
applications. Admittedly, for an upgrade from 1.1.1f -> 1.1.1k the
risk of introducing an API change is quite low, but for anything else
(e.g. 1.1.0x -> 1.1.1k) you will almost certainly have to rebuild and
relink all applications that depend on the OpenSSL libraries.
This is not something you can expect from the Linux distro
maintainers. For them, it is far less risky to backport security fixes
to the version of OpenSSL that they built their distro on (e.g. Ubuntu
20 > 1.1.1f; CentOS 7 -> 1.0.2k (yes!), etc).
Note that most update woes that Windows 10 has had over the past few
years were related to library updates breaking applications - so even
microsoft has problems with "best practices".
HTH,
JJK
