On Mon, May 31, 2021 at 7:02 AM Michael McKenney via openssl-users <openssl-users@openssl.org> wrote: > > My wordpress servers are under constant attack. My Fortinet 60E firewall > logs are filled. Openssl is constantly reported on The Hacker News and other > sites. So I don’t need to worry about upgrading OpenSSL in the future to > 1.1.1k or above? I can just use what the distro has to offer by apt? > Ubuntu 20.04 started with 1.1.1f. My Kali server is mainly used for Try > Hack Me challenges and learn cyber security. > Security is a series of compromises based on understanding your needs and defense in depth. For instance, do you run something like fail2ban? Do you monitor your logs and network traffic?
> > From: Jan Just Keijser <janj...@nikhef.nl> > Sent: Monday, May 31, 2021 5:55 AM > To: Michael McKenney <mike.mcken...@scsiraidguru.com>; > openssl-users@openssl.org > Subject: Re: Why can't we get a proper installation method to keep OpenSSL at > the latest revision for Linux? > > > > On 30/05/21 14:05, Michael McKenney wrote: > > Why can't we get a proper installation method to keep OpenSSL at the latest > revision for Linux? > > My biggest compliant with Linux is it is so difficult to get best practice > installations for services like OpenSSL. Ubuntu is still on 1.1.1f. I > have been trying to upgrade to 1.1.1k. Openssl version -a states I am on > 1.1.1k. When programs in Wordpress that use OpenSSL show I am using > 1.1.1.f. Spending hours of time on various sites like AskUbuntu.com, only > to be disappointed. Microsoft has best practices guides for installations. > Why can’t we get them for Linux. > > > > > > this is both very hard and undesirable: > openssl can be regarded as a low-level system library that is used by many > applications across the entire Linux distribution. You cannot simply upgrade > this low-level system library without breaking these applications. > Admittedly, for an upgrade from 1.1.1f -> 1.1.1k the risk of introducing an > API change is quite low, but for anything else (e.g. 1.1.0x -> 1.1.1k) you > will almost certainly have to rebuild and relink all applications that depend > on the OpenSSL libraries. > This is not something you can expect from the Linux distro maintainers. For > them, it is far less risky to backport security fixes to the version of > OpenSSL that they built their distro on (e.g. Ubuntu 20 > 1.1.1f; CentOS 7 -> > 1.0.2k (yes!), etc). > > Note that most update woes that Windows 10 has had over the past few years > were related to library updates breaking applications - so even microsoft has > problems with "best practices". > > HTH, > > JJK