How often is OpenSSL updated in cPanel?

[dualmonitor]

When I run this at the command line:

openssl version

I receive:

OpenSSL 1.0.0-fips 29 Mar 2010

How often is openSSL updated in cPanel?

I'd really like to be able to take advantage of TLS 1.1 and 1.2 so I can offer perfect forward secrecy to my sites' visitors.

 

[ThinIce]

I don't think it is, openssl is that provided by your os All Documentation

You might want to take a look at Provide OpenSSL 1.0.1c or Higher as cPanel RPM, to allow TLS 1.1, TLS 1.2 | cPanel Feature Requests

 

[dualmonitor]

Hi ThinIce, yes, thanks for the link to the feature request. I voted for that about a month ago!

 

[cPanelMichael]

Hello

Here is the comment by cPanelJamyn on that feature request that applies to this thread:

cPanel leverages your package management system (rpm) to install the openssl provided by your operating system. Security fixes are backported by your OS vendor (RedHat, CentOS). They typically pick a version they want to support (0.9.8 on CentOS 5 as an example) and then backport security fixes and occasionally features as needed. As a result, openssl 0.9.8e provided by your OS vendor is very different from the original 0.9.8e source - all known CVEs are regularly fixed in your OS version. All you have to do is run a non-EOL OS and keep it up to date, and you'll receive those fixes.

This is why, when you tell a PCI compliance vendor that you're using openssl from your OS, and show them the CVEs have been patched with that version, they'll whitelist the the item as a false positive.

You could easily check to see if a given vulnerability has been patched:

rpm -q --changelog openssl | grep -iE 'security|cve|vuln'

Thank you.

 

[dualmonitor]

Hi cpanelMichael,

Thanks for the quick reply.

Here's the output I see when I run that command:

- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)
- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)
environment variable is set (fixes CVE-2012-4929 #857051)
- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)
- properly initialize tkeylen in the CVE-2012-0884 fix
- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)
- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)
- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery
vulnerability and additional DTLS fixes (#771770)
- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)
- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)
- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)
- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207
- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)
- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864
- fix race in extension parsing code - CVE-2010-3864 (#649304)
- fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)
- fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)
- fix CVE-2009-4355 - leak in applications incorrectly calling
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
- update to new upstream release (minor bug fixes, security
- fix CVE-2008-0891 - server name extension crash (#448492)
- fix CVE-2008-1672 - server key exchange message omit crash (#448495)
- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)
- CVE-2007-3108 - fix side channel attack on private keys (#250577)
- CVE-2006-2940 fix was incorrect (#208744)
- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
- fix CVE-2006-2940 - parasitic public keys DoS (#207274)
- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
- fix CVE-2006-4343 - sslv2 client DoS (#206940)
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
- add security fixes for CAN-2004-0079, CAN-2004-0112
- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
- add patch to fix ASN.1 vulnerabilities

I don't see any explicit reference in there to TLS 1.1 or 1.2. Do you believe that those should be available on my system based on the output above?

 

[cPanelMichael]

The command provided is to check if a specific vulnerability has been patched. The version of OpenSSL installed on your system depends on the installed OS. You can check that with a command such as:

cat /etc/redhat-release

Based on the OpenSSL change log, support for TLS 1.1 and 1.2 was added in OpenSSL 1.0.1, which is newer than the version installed on your system.

Thank you.

 

[dualmonitor]

Based on the OpenSSL change log, support for TLS 1.1 and 1.2 was added in OpenSSL 1.0.1, which is newer than the version installed on your system.

I know a fellow forum member wrote these tips on upgrading:

http://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001.html

His method may be bullet proof but I want to reduce the likelihood I break something.

Do you have any recommendations on how to upgrade to OpenSSL 1.0.1 so my system will support TLS 1.1 and 1.2, cPanelMichael?

 

[cPanelMichael]

I recommend only using the version of OpenSSL provided by your OS vendor unless absolutely necessary. While you are welcome to implement manual modifications for a newer installation of OpenSSL, it's not guaranteed to work without issue, and it's not something we can provide support for in the event it results in configuration issues.

Thank you.

 

[dualmonitor]

Can you confirm that these are true:

• cPanel users do not have the most recent version of OpenSSL
• cPanel/WHM does not play a direct role in bringing OpenSSL up to date
• Attempting to manually take action to bring OpenSSL up to date is not recommended
• cPanel users simply have to wait until its users' OS vendors update OpenSSL

 

[cPanelMichael]

Can you confirm that these are true:

• cPanel users do not have the most recent version of OpenSSL
• cPanel/WHM does not play a direct role in bringing OpenSSL up to date
• Attempting to manually take action to bring OpenSSL up to date is not recommended
• cPanel users simply have to wait until its users' OS vendors update OpenSSL

This is mostly true. However, "the latest available version" is more accurate than "up to date", as vendors backport patches to the existing versions of OpenSSL. Also, depending on the specific OS installed, some servers that utilize cPanel will have newer versions of OpenSSL than others.

Thank you.