Updating OpenSSL = Scary

M

Mitsurugi

Verified User
Joined
Jul 19, 2005
Messages
39
We're trying to achieve PCI DSS accreditation, and we're currently failing on our OpenSSL version - 0.9.7a. Apparently, we need at least 0.9.7b (wouldn't you know it!).

I've read through every thread on this forum about updating OpenSSL, and there doesn't appear to be a consistent method. We're using CentOS, by the way.

I've also read horror stories about people getting locked out of the server because SSH doesn't work anymore.

Bottom line - it's a server with over 100 clients on it, how can we update OpenSSL without compromising our clients?

And what absolutely *has* to be updated after OpenSSL?

Many, many thanks to anyone who can help with this. We're running Apache, PHP, all the usual apps.
 
Mitsurugi said:
We're trying to achieve PCI DSS accreditation, and we're currently failing on our OpenSSL version - 0.9.7a. Apparently, we need at least 0.9.7b (wouldn't you know it!).

I've read through every thread on this forum about updating OpenSSL, and there doesn't appear to be a consistent method. We're using CentOS, by the way.

I've also read horror stories about people getting locked out of the server because SSH doesn't work anymore.

Bottom line - it's a server with over 100 clients on it, how can we update OpenSSL without compromising our clients?

And what absolutely *has* to be updated after OpenSSL?

Many, many thanks to anyone who can help with this. We're running Apache, PHP, all the usual apps.
Click to expand...

Update OpenSSL (don't disconect!)
Update OpenSSH
Update ProFTPd
Update PHP
Update Apache...

Next time, if updating OpenSSL or OpenSSH, first start the telnet service so there is always a backdoor. Apache, PHP, ProFTPd, and OpenSSH depends on OpenSSL.

Or buy ILO/DRAC/IMPI for your server so it's always managable...

For now; Go to the datacentre, log in in Single user mode, give 'cd /usr/local/update.schript' and run './update.script OPENSSH'. SSH will function now, rebooot the server in normal mode, log in and update ProFTPd, PHP and Apache.

Don't opdate openssl* and openssh* with yum, by adding the components in /etc/yum.conf by the exclude line if you're using the update.script.
 
Last edited:
Thanks very much for your reply. Don't worry, we haven't done anything silly yet! I'm asking before we do the upgrade to avoid situations like this.

Would Exim also need to be updated?
 
Mitsurugi said:
We're trying to achieve PCI DSS accreditation, and we're currently failing on our OpenSSL version - 0.9.7a. Apparently, we need at least 0.9.7b (wouldn't you know it!).
Click to expand...

To update anyone who might read this - thank GOD I didn't go through with this pointless exercise (which could have caused no end of problems!).

CentOS apparently "backports" its updates for many packages, so the version number alone doesn't tell you if you're vulnerable to a particular exploit. Have a read of this:

http://www.redhat.com/security/updates/backporting/?sc_cid=3093

Use THIS command to see what version of OpenSSL you're using:

rpm -qi openssl

And THIS to see what patches/fixes have been applied:

rpm -q --changelog openssl

All the reading paid off this time! You learn something new every day. And I can leave my perfectly functioning OpenSSL alone! :)
 
I suppose you could blame that on your auditor. Auditors should know to check your distribution's version numbering scheme.

Jeff
 
You must log in or register to reply here.
Back
Top