<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 31/05/21 13:01, Michael McKenney wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR1801MB20749717C9C90285821B22998C3F9@DM5PR1801MB2074.namprd18.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">My wordpress
servers are under constant attack. My Fortinet 60E firewall
logs are filled. Openssl is constantly reported on The
Hacker News and other sites. So I don’t need to worry
about upgrading OpenSSL in the future to 1.1.1k or above?
I can just use what the distro has to offer by apt? Ubuntu
20.04 started with 1.1.1f. My Kali server is mainly used
for Try Hack Me challenges and learn cyber security.
</span></p>
</div>
</blockquote>
<br>
if you use an LTS distro then you can trust the distro makers - if
not, then there are thousands of servers out there that are
vulnerable ;)<br>
<br>
I run several public Wordpress sites on CentOS 7 and have locked
them down quite rigorously - I have not had any breakins for the
past 7 years or so, whilst relying fully on the RH/CentOS-supplied
openssl library.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
<blockquote type="cite"
cite="mid:DM5PR1801MB20749717C9C90285821B22998C3F9@DM5PR1801MB2074.namprd18.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> Jan Just Keijser
<a class="moz-txt-link-rfc2396E" href="mailto:janjust@nikhef.nl"><janjust@nikhef.nl></a>
<br>
<b>Sent:</b> Monday, May 31, 2021 5:55 AM<br>
<b>To:</b> Michael McKenney
<a class="moz-txt-link-rfc2396E" href="mailto:mike.mckenney@scsiraidguru.com"><mike.mckenney@scsiraidguru.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject:</b> Re: Why can't we get a proper
installation method to keep OpenSSL at the latest
revision for Linux?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 30/05/21 14:05, Michael McKenney
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Why can't we get a proper installation
method to keep OpenSSL at the latest revision for Linux?<br>
<br>
My biggest compliant with Linux is it is so difficult to get
best practice installations for services like OpenSSL.
Ubuntu is still on 1.1.1f. I have been trying to upgrade
to 1.1.1k. Openssl version -a states I am on 1.1.1k.
When programs in Wordpress that use OpenSSL show I am using
1.1.1.f. Spending hours of time on various sites like
AskUbuntu.com, only to be disappointed. Microsoft has best
practices guides for installations. Why can’t we get them
for Linux.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt">this is both
very hard and undesirable:
<br>
openssl can be regarded as a low-level system library that is
used by many applications across the entire Linux
distribution. You cannot simply upgrade this low-level system
library without breaking these applications. Admittedly, for
an upgrade from 1.1.1f -> 1.1.1k the risk of introducing an
API change is quite low, but for anything else (e.g. 1.1.0x
-> 1.1.1k) you will almost certainly have to rebuild and
relink all applications that depend on the OpenSSL libraries.
<br>
This is not something you can expect from the Linux distro
maintainers. For them, it is far less risky to backport
security fixes to the version of OpenSSL that they built their
distro on (e.g. Ubuntu 20 > 1.1.1f; CentOS 7 -> 1.0.2k
(yes!), etc).<br>
<br>
Note that most update woes that Windows 10 has had over the
past few years were related to library updates breaking
applications - so even microsoft has problems with "best
practices".<br>
<br>
HTH,<br>
<br>
JJK<o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>