How often is OpenSSL updated in cPanel?

dualmonitor

• October 09, 2013 16:24

When I run this at the command line: openssl version
I receive: OpenSSL 1.0.0-fips 29 Mar 2010
How often is openSSL updated in cPanel? I'd really like to be able to take advantage of TLS 1.1 and 1.2 so I can offer perfect forward secrecy to my sites' visitors.

• 

  ThinIce

  • October 10, 2013 07:53

  I don't think it is, openssl is that provided by your os [url=http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/SslFaq#What%20is%20SNI%20support?]All Documentation You might want to take a look at [url=http://features.cpanel.net/responses/provide-openssl-101c-or-higher-as-cpanel-rpm-to-allow-tls-11-tls-12]Provide OpenSSL 1.0.1c or Higher as cPanel RPM, to allow TLS 1.1, TLS 1.2 | cPanel Feature Requests

  0
• 

  dualmonitor

  • October 10, 2013 17:17

  Hi ThinIce, yes, thanks for the link to the feature request. I voted for that about a month ago! :)

  0
• 

  cPanelMichael

  • October 14, 2013 16:00

  Hello :) Here is the comment by cPanelJamyn on that feature request that applies to this thread: [QUOTE]cPanel leverages your package management system (rpm) to install the openssl provided by your operating system. Security fixes are backported by your OS vendor (RedHat, CentOS). They typically pick a version they want to support (0.9.8 on CentOS 5 as an example) and then backport security fixes and occasionally features as needed. As a result, openssl 0.9.8e provided by your OS vendor is very different from the original 0.9.8e source - all known CVEs are regularly fixed in your OS version. All you have to do is run a non-EOL OS and keep it up to date, and you'll receive those fixes. This is why, when you tell a PCI compliance vendor that you're using openssl from your OS, and show them the CVEs have been patched with that version, they'll whitelist the the item as a false positive. You could easily check to see if a given vulnerability has been patched: rpm -q --changelog openssl | grep -iE 'security|cve|vuln'
  Thank you.

  0
• 

  dualmonitor

  • October 14, 2013 16:22

  Hi cpanelMichael, Thanks for the quick reply. Here's the output I see when I run that command: [QUOTE] - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) environment variable is set (fixes CVE-2012-4929 #857051) - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - properly initialize tkeylen in the CVE-2012-0884 fix - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185) - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725) - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489) - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery vulnerability and additional DTLS fixes (#771770) - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775) - fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778) - fix for CVE-2011-4619 - SGC restart DoS attack (#771780) - initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207 - fix OCSP stapling vulnerability - CVE-2011-0014 (#676063) - disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864 - fix race in extension parsing code - CVE-2010-3864 (#649304) - fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738) - fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732) - fix CVE-2009-4355 - leak in applications incorrectly calling - fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 - update to new upstream release (minor bug fixes, security - fix CVE-2008-0891 - server name extension crash (#448492) - fix CVE-2008-1672 - server key exchange message omit crash (#448495) - fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801) - fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191) - CVE-2007-3108 - fix side channel attack on private keys (#250577) - CVE-2006-2940 fix was incorrect (#208744) - fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276) - fix CVE-2006-2940 - parasitic public keys DoS (#207274) - fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940) - fix CVE-2006-4343 - sslv2 client DoS (#206940) - fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180) - add security fixes for CAN-2004-0079, CAN-2004-0112 - add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544) - add patch to fix ASN.1 vulnerabilities
  I don't see any explicit reference in there to TLS 1.1 or 1.2. Do you believe that those should be available on my system based on the output above?

  0
• 

  cPanelMichael

  • October 15, 2013 16:48

  The command provided is to check if a specific vulnerability has been patched. The version of OpenSSL installed on your system depends on the installed OS. You can check that with a command such as: cat /etc/redhat-release
  Based on the OpenSSL change log, support for TLS 1.1 and 1.2 was added in OpenSSL 1.0.1, which is newer than the version installed on your system. Thank you.

  0
• 

  dualmonitor

  • October 15, 2013 17:00

  [QUOTE]Based on the OpenSSL change log, support for TLS 1.1 and 1.2 was added in OpenSSL 1.0.1, which is newer than the version installed on your system.
  I know a fellow forum member wrote these tips on upgrading:

  0
• 

  cPanelMichael

  • October 15, 2013 18:57

  I recommend only using the version of OpenSSL provided by your OS vendor unless absolutely necessary. While you are welcome to implement manual modifications for a newer installation of OpenSSL, it's not guaranteed to work without issue, and it's not something we can provide support for in the event it results in configuration issues. Thank you.

  0
• 

  dualmonitor

  • October 15, 2013 19:27

  Can you confirm that these are true: [LIST]

  cPanel users do not have the most recent version of OpenSSL

  cPanel/WHM does not play a direct role in bringing OpenSSL up to date

  Attempting to manually take action to bring OpenSSL up to date is not recommended

  cPanel users simply have to wait until its users' OS vendors update OpenSSL

  0
• 

  cPanelMichael

  • October 15, 2013 19:39

  [quote="dualmonitor, post: 1483512">Can you confirm that these are true: [LIST]

  cPanel users do not have the most recent version of OpenSSL

  cPanel/WHM does not play a direct role in bringing OpenSSL up to date

  Attempting to manually take action to bring OpenSSL up to date is not recommended

  cPanel users simply have to wait until its users' OS vendors update OpenSSL
  This is mostly true. However, "the latest available version" is more accurate than "up to date", as vendors backport patches to the existing versions of OpenSSL. Also, depending on the specific OS installed, some servers that utilize cPanel will have newer versions of OpenSSL than others. Thank you.

  0

Please sign in to leave a comment.