Support of CentOS/RHEL 7.x vs required OpenSSL version

Hello,

I was wondering about the required version of OpenSSL according to this documentation where it states:

“Install latest OpenSSL version on every node (make sure its at least version 1.0.1k.)”

CentOS/RHEL 7.x currently ship OpenSSL version 1.0.1e:

$ yum info openssl

[…]

Version : 1.0.1e

Release : 60.el7

[…]

Could you please elaborate on the implications of using a version of OpenSSL older than 1.0.1k and (if possible) specifically 1.0.1e as the version being shipped by CentOS/RHEL 7.x?

Thank you in advance and kind regards,

Oliver Schlüter

Attached to this email you’ll find the output of
$ rpm -q --changelog openssl > openssl-changelog-redhat.txt

openssl-changelog-redhat.txt (53.7 KB)

···

On Tuesday, January 17, 2017 at 8:17:43 PM UTC+1, oliver.s...@semalytix.de wrote:

CentOS/RHEL 7.x currently ship OpenSSL version 1.0.1e:

$ yum info openssl

[…]

Version : 1.0.1e

Release : 60.el7

[…]

1.0.1e has a lot of security issues including heartbleed vulnerability (http://heartbleed.com).
It seems that the version shipped with your linux distro fixed this bug but we refer to the offical openssl codebase in our docs.
Technically (or api wise) its not a problem to use 1.0.1e but it maybe insecure.

But to be on the safe sdide we recommend to use always the most recent version of openssl (as of 17. Jan 2017 its 1.0.2j and 1.1.0c).
You can do this by compiling it yourself (instead of relying on the version shipped with your linux distribution) or use our statically compiled
version of the netty tcnative openssl library (currently openssl 1.0.2h for SG2 and 1.0.2j for SG5)

Hope this helps

···

Am 17.01.2017 um 20:17 schrieb oliver.schlueter@semalytix.de:

Hello,

I was wondering about the required version of OpenSSL according to this documentation where it states:
"Install latest OpenSSL version on every node (make sure its at least version 1.0.1k.)"

CentOS/RHEL 7.x currently ship OpenSSL version 1.0.1e:
$ yum info openssl
[...]
Version : 1.0.1e
Release : 60.el7
[...]

Could you please elaborate on the implications of using a version of OpenSSL older than 1.0.1k and (if possible) specifically 1.0.1e as the version being shipped by CentOS/RHEL 7.x?

Thank you in advance and kind regards,
Oliver Schlüter

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a1e57b95-2f1a-4e79-8f30-e10f4369c6cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.