Why can't we get a proper installation method to keep OpenSSL at the latest revision for Linux?

Jan Just Keijser janjust at nikhef.nl
Mon May 31 12:45:10 UTC 2021 

Hi,

On 31/05/21 13:01, Michael McKenney wrote:
>
> My wordpress servers are under constant attack.  My Fortinet 60E 
> firewall logs are filled.  Openssl is constantly reported on The 
> Hacker News and other sites.   So I don’t need to worry about 
> upgrading OpenSSL in the future to 1.1.1k or above? I can just use 
> what the distro has to offer by apt?  Ubuntu 20.04 started with 
> 1.1.1f.    My Kali server is mainly used for Try Hack Me challenges 
> and learn cyber security.
>

if you use an LTS distro then you can trust the distro makers - if not, 
then there are thousands of servers out there that are vulnerable ;)

I run several public Wordpress sites on CentOS 7 and have locked them 
down quite rigorously - I have not had any breakins for the past 7 years 
or so, whilst relying fully on the RH/CentOS-supplied openssl library.

HTH,

JJK

> *From:*Jan Just Keijser <janjust at nikhef.nl>
> *Sent:* Monday, May 31, 2021 5:55 AM
> *To:* Michael McKenney <mike.mckenney at scsiraidguru.com>; 
> openssl-users at openssl.org
> *Subject:* Re: Why can't we get a proper installation method to keep 
> OpenSSL at the latest revision for Linux?
>
> On 30/05/21 14:05, Michael McKenney wrote:
>
>     Why can't we get a proper installation method to keep OpenSSL at
>     the latest revision for Linux?
>
>     My biggest compliant with Linux is it is so difficult to get best
>     practice installations for services like OpenSSL. Ubuntu is still
>     on 1.1.1f.    I have been trying to upgrade to 1.1.1k.   Openssl
>     version -a states I am on 1.1.1k. When programs in Wordpress that
>     use OpenSSL show I am using 1.1.1.f.   Spending hours of time on
>     various sites like AskUbuntu.com, only to be disappointed.  
>     Microsoft has best practices guides for installations.   Why can’t
>     we get them for Linux.
>
> this is both very hard and undesirable:
> openssl can be regarded as a low-level system library that is used by 
> many applications across the entire Linux distribution. You cannot 
> simply upgrade this low-level system library without breaking these 
> applications. Admittedly, for an upgrade from 1.1.1f -> 1.1.1k the 
> risk of introducing an API change is quite low, but for anything else 
> (e.g. 1.1.0x -> 1.1.1k) you will almost certainly have to rebuild and 
> relink all applications that depend on the OpenSSL libraries.
> This is not something you can expect from the Linux distro 
> maintainers. For them, it is far less risky to backport security fixes 
> to the version of OpenSSL that they built their distro on (e.g. Ubuntu 
> 20 > 1.1.1f; CentOS 7 -> 1.0.2k (yes!), etc).
>
> Note that most update woes that Windows 10 has had over the past few 
> years were related to library updates breaking applications - so even 
> microsoft has problems with "best practices".
>
> HTH,
>
> JJK
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210531/4858e8b5/attachment.html>

More information about the openssl-users mailing list