This is at my house in my basement. My Fortinet 60E firewall is kept on the
latest software. I am waiting now for 7.0.1 or 7.0.2 to be released.
Fortinet engineers usually email me when to upgrade to the new revision. I
have 4 NFRs open on IPv6 and DHCPv6. UTM is fully enabled. Geofencing is
configured for many countries. I keep the certificates up to date. I
spend time on The Hacker News looking at reporting bugs. I actually ran
Nessus on my servers and they came back clean. SSL Labs reports on my web
site configurations. I started learning more about cryptology. The OpenSSL
bugs state to upgrade beyond 1.1.1f.
-----Original Message-----
From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Mauricio
Tavares
Sent: Monday, May 31, 2021 7:45 AM
To: openssl-users@openssl.org
Subject: Re: Why can't we get a proper installation method to keep OpenSSL at
the latest revision for Linux?
On Mon, May 31, 2021 at 7:02 AM Michael McKenney via openssl-users
<openssl-users@openssl.org> wrote:
>
> My wordpress servers are under constant attack. My Fortinet 60E firewall
> logs are filled. Openssl is constantly reported on The Hacker News and other
> sites. So I don’t need to worry about upgrading OpenSSL in the future to
> 1.1.1k or above? I can just use what the distro has to offer by apt?
> Ubuntu 20.04 started with 1.1.1f. My Kali server is mainly used for Try
> Hack Me challenges and learn cyber security.
>
Security is a series of compromises based on understanding your needs and
defense in depth. For instance, do you run something like fail2ban? Do you
monitor your logs and network traffic?
>
> From: Jan Just Keijser <janj...@nikhef.nl>
> Sent: Monday, May 31, 2021 5:55 AM
> To: Michael McKenney <mike.mcken...@scsiraidguru.com>;
> openssl-users@openssl.org
> Subject: Re: Why can't we get a proper installation method to keep OpenSSL at
> the latest revision for Linux?
>
>
>
> On 30/05/21 14:05, Michael McKenney wrote:
>
> Why can't we get a proper installation method to keep OpenSSL at the latest
> revision for Linux?
>
> My biggest compliant with Linux is it is so difficult to get best practice
> installations for services like OpenSSL. Ubuntu is still on 1.1.1f. I
> have been trying to upgrade to 1.1.1k. Openssl version -a states I am on
> 1.1.1k. When programs in Wordpress that use OpenSSL show I am using
> 1.1.1.f. Spending hours of time on various sites like AskUbuntu.com, only
> to be disappointed. Microsoft has best practices guides for installations.
> Why can’t we get them for Linux.
>
>
>
>
>
> this is both very hard and undesirable:
> openssl can be regarded as a low-level system library that is used by many
> applications across the entire Linux distribution. You cannot simply upgrade
> this low-level system library without breaking these applications.
> Admittedly, for an upgrade from 1.1.1f -> 1.1.1k the risk of introducing an
> API change is quite low, but for anything else (e.g. 1.1.0x -> 1.1.1k) you
> will almost certainly have to rebuild and relink all applications that depend
> on the OpenSSL libraries.
> This is not something you can expect from the Linux distro maintainers. For
> them, it is far less risky to backport security fixes to the version of
> OpenSSL that they built their distro on (e.g. Ubuntu 20 > 1.1.1f; CentOS 7 ->
> 1.0.2k (yes!), etc).
>
> Note that most update woes that Windows 10 has had over the past few years
> were related to library updates breaking applications - so even microsoft has
> problems with "best practices".
>
> HTH,
>
> JJK
