This is at my house in my basement. My Fortinet 60E firewall is kept on the latest software. I am waiting now for 7.0.1 or 7.0.2 to be released. Fortinet engineers usually email me when to upgrade to the new revision. I have 4 NFRs open on IPv6 and DHCPv6. UTM is fully enabled. Geofencing is configured for many countries. I keep the certificates up to date. I spend time on The Hacker News looking at reporting bugs. I actually ran Nessus on my servers and they came back clean. SSL Labs reports on my web site configurations. I started learning more about cryptology. The OpenSSL bugs state to upgrade beyond 1.1.1f.
-----Original Message----- From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Mauricio Tavares Sent: Monday, May 31, 2021 7:45 AM To: openssl-users@openssl.org Subject: Re: Why can't we get a proper installation method to keep OpenSSL at the latest revision for Linux? On Mon, May 31, 2021 at 7:02 AM Michael McKenney via openssl-users <openssl-users@openssl.org> wrote: > > My wordpress servers are under constant attack. My Fortinet 60E firewall > logs are filled. Openssl is constantly reported on The Hacker News and other > sites. So I don’t need to worry about upgrading OpenSSL in the future to > 1.1.1k or above? I can just use what the distro has to offer by apt? > Ubuntu 20.04 started with 1.1.1f. My Kali server is mainly used for Try > Hack Me challenges and learn cyber security. > Security is a series of compromises based on understanding your needs and defense in depth. For instance, do you run something like fail2ban? Do you monitor your logs and network traffic? > > From: Jan Just Keijser <janj...@nikhef.nl> > Sent: Monday, May 31, 2021 5:55 AM > To: Michael McKenney <mike.mcken...@scsiraidguru.com>; > openssl-users@openssl.org > Subject: Re: Why can't we get a proper installation method to keep OpenSSL at > the latest revision for Linux? > > > > On 30/05/21 14:05, Michael McKenney wrote: > > Why can't we get a proper installation method to keep OpenSSL at the latest > revision for Linux? > > My biggest compliant with Linux is it is so difficult to get best practice > installations for services like OpenSSL. Ubuntu is still on 1.1.1f. I > have been trying to upgrade to 1.1.1k. Openssl version -a states I am on > 1.1.1k. When programs in Wordpress that use OpenSSL show I am using > 1.1.1.f. Spending hours of time on various sites like AskUbuntu.com, only > to be disappointed. Microsoft has best practices guides for installations. > Why can’t we get them for Linux. > > > > > > this is both very hard and undesirable: > openssl can be regarded as a low-level system library that is used by many > applications across the entire Linux distribution. You cannot simply upgrade > this low-level system library without breaking these applications. > Admittedly, for an upgrade from 1.1.1f -> 1.1.1k the risk of introducing an > API change is quite low, but for anything else (e.g. 1.1.0x -> 1.1.1k) you > will almost certainly have to rebuild and relink all applications that depend > on the OpenSSL libraries. > This is not something you can expect from the Linux distro maintainers. For > them, it is far less risky to backport security fixes to the version of > OpenSSL that they built their distro on (e.g. Ubuntu 20 > 1.1.1f; CentOS 7 -> > 1.0.2k (yes!), etc). > > Note that most update woes that Windows 10 has had over the past few years > were related to library updates breaking applications - so even microsoft has > problems with "best practices". > > HTH, > > JJK