upgrade openssl

[merlinpa1969]

Hello,
I have an interesting question,

PCI Compliance scans require openssl to be at 0.9.8c or higher.
and ssh need to be at 5.1

the issue we are running into is that the system only shows 0.9.8b and ssh at 4.9


we have been informed by the data center that manually updating openssl will break c-panel.

we have see this on 2 servers at this new datacenter. where after updating openssl and ssh that we are unable to generate CSR's

What is the proper way to update to be PCI Compliant without breaking c-panel?

[bls24]

we have been informed by the data center that manually updating openssl will break c-panel.

I've been told by mine that if problems occur an OS reinstall would pretty much be mandatory!

I haven't been brave enough to try it yet. Wonder why it is so hard to upgrade?

[merlinpa1969]

I have discovered that using the newest redhat kernel will pass even though the banner says 0.9.8b

[bls24]

Does that actually upgrade the security patches, too?

[dalem]

What is the proper way to update to be PCI Compliant without breaking c-panel?

you ask them to make an exception as a good scanning company will that some Linux distros are back-port fixed to the latest version

[Biotron2000]

Has anyone yet found a way to upgrade OpenSSL that won't fry the server? We need to get ours into compliance as well.
All cPanel Support has to say is:

OpenSSL maintenance is a systems task that lays beyond the scope of our support

Any ideas out there?

Thanks,
Patrick

[merlinpa1969]

Nope
and its funny, its not cpanels problem but its the cpanel version of this software that is causing the issues,

I mean when you are told outright that updating things manually will cause issues there is a problem........

the issue that we had with upgrading openssl was we could no longer creats CSRs


however if you are keeping your kernel and your cpanel uptodate then you will be fine....and it should pas PCI Compliance

[cpanelkenneth]

Nope
and its funny, its not cpanels problem but its the cpanel version of this software that is causing the issues,

We don't provide OpenSSL.

OpenSSL is provided by the Operating System Vendor (e.g. RedHat, CentOS, etc). We only use what they provide.

As mentioned above, you need to contact your PCI Compliance Auditor and provide information that you are using OpenSSL packages provided by your Operating System vendor, who backports patches (if your OS vendor does do so. RedHat does).

[merlinpa1969]

Thats fine however you still have not explained WHY manually upgrading openssl and openssh cause issues with creating a csr...

Why is it recommended NOT to upgrade the software if your using cpanel

[SB-Nick]

We have been upgrading OpenSSL for PCI compliance on some cPanel boxes without any problem.
Did you try to upgrade it? If so, what error are you getting?

[merlinpa1969]

Yes we did upgrade it,
redhat5

causes issues

you are not able to create CSR's it goes through the motion but dosnt create it

[SB-Nick]

Hello,

Did you double check you are using the updated openssl binaries?