Support of CentOS/RHEL 7.x vs required OpenSSL version

Hello,

I was wondering about the required version of OpenSSL according to this documentation where it states:

“Install latest OpenSSL version on every node (make sure its at least version 1.0.1k.)”

CentOS/RHEL 7.x currently ship OpenSSL version 1.0.1e:

$ yum info openssl

[…]

Version : 1.0.1e

Release : 60.el7

[…]

Could you please elaborate on the implications of using a version of OpenSSL older than 1.0.1k and (if possible) specifically 1.0.1e as the version being shipped by CentOS/RHEL 7.x?

Thank you in advance and kind regards,

Oliver Schlüter

Attached to this email you’ll find the output of
$ rpm -q --changelog openssl > openssl-changelog-redhat.txt

openssl-changelog-redhat.txt (53.7 KB)

1.0.1e has a lot of security issues including heartbleed vulnerability (http://heartbleed.com).
It seems that the version shipped with your linux distro fixed this bug but we refer to the offical openssl codebase in our docs.
Technically (or api wise) its not a problem to use 1.0.1e but it maybe insecure.

But to be on the safe sdide we recommend to use always the most recent version of openssl (as of 17. Jan 2017 its 1.0.2j and 1.1.0c).
You can do this by compiling it yourself (instead of relying on the version shipped with your linux distribution) or use our statically compiled
version of the netty tcnative openssl library (currently openssl 1.0.2h for SG2 and 1.0.2j for SG5)

Hope this helps