jdlitson said:
The only thing that has stoped me from buying the $50 cert is that I still need to updat my OpenSSL.
Looks like that's going to be a pain (for a beginner).
I'm presuming you're using a Red Hat system, based on RPMs. I'd be quite surprised if you don't have it installed. If you don't, then you should just get the most recent RPMs for your system from Red Hat and install them with:
Code:
# rpm -Uvh <rpm-file-name.rpm>
The RPM won't install if there are any dependencies, so you can then make a decision to install the dependencies.
Personally I use
apt-rpm to keep a lot of systems up-to-date. We haven't any live DirectAdmin systems yet, but I'm going to try updating a test DirectAdmin system in the next few days and I'll let you know how it went.
apt-rpm should
not hurt anything, it will only update packages that have the same name and main version number. But don't install it without the go-ahead from Mark, as I can't guarantee anything.
I am wondering now if the OpenSSL is good software?
I don't even know anyone who isn't using it for SSL on Red Hat Linux. Imho it's at least as secure as any other SSL implementation.
A few years ago, when the SSL code was still proprietary, Red Hat licensed the code and sold a secure server that just plugged into Red Hat Linux; it worked fine and plugged in easily. But it was much more complex than just installing SSL as part of Red Hat install as we do today.
Perhaps it would save time to use another SSL software so I don't have to keep fixing the OpenSSL holes.
Is there anything else that would be better security wise and still low cost?
Most of us are probably using mod_ssl, which uses OpenSSL <
http://www.modssl.org/>.
There's an alternative apache product, Apache-ssl <
http://www.apache-ssl.org/> but I don't know anyone using it, and it does
notget installed as part of the Red Hat install.
I'd recommend, especially for aanyone using a server administration package (such as DirectAdmin, Plesk, CPanel, etc.), and certainly for newbies, that you stick with officially supported packages; otherwise you're completely on your own when it comes to support.
Does everyone here use OpenSSL?
I can't speak for others, but I'd be quite surprised if anyone was using any other implementation with DirectAdmin.
I am assuming that OpenSSL would still need to be installed even though we buy a signed Cert?
Yes. The certificate merely identifies your website and enables the encrypted data transfer.
Jeff