Support of CentOS/RHEL 7.x vs required OpenSSL version
108 views
Skip to first unread message
oliver.s...@semalytix.de
Jan 17, 2017, 2:17:43 PM1/17/17
to Search Guard
Hello,
I was wondering about the required version of OpenSSL according to this documentation where it states:
"Install latest OpenSSL version on every node (make sure its at least version 1.0.1k.)"
CentOS/RHEL 7.x currently ship OpenSSL version 1.0.1e:
$ yum info openssl
[...]
Version : 1.0.1e
Release : 60.el7
[...]
Could you please elaborate on the implications of using a version of OpenSSL older than 1.0.1k and (if possible) specifically 1.0.1e as the version being shipped by CentOS/RHEL 7.x?
Thank you in advance and kind regards,
Oliver Schlüter
SG
Jan 17, 2017, 2:59:12 PM1/17/17
to search...@googlegroups.com
1.0.1e has a lot of security issues including heartbleed vulnerability (http://heartbleed.com).
It seems that the version shipped with your linux distro fixed this bug but we refer to the offical openssl codebase in our docs.
Technically (or api wise) its not a problem to use 1.0.1e but it maybe insecure.
But to be on the safe sdide we recommend to use always the most recent version of openssl (as of 17. Jan 2017 its 1.0.2j and 1.1.0c).
You can do this by compiling it yourself (instead of relying on the version shipped with your linux distribution) or use our statically compiled
version of the netty tcnative openssl library (currently openssl 1.0.2h for SG2 and 1.0.2j for SG5)
Hope this helps
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a1e57b95-2f1a-4e79-8f30-e10f4369c6cd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
It seems that the version shipped with your linux distro fixed this bug but we refer to the offical openssl codebase in our docs.
Technically (or api wise) its not a problem to use 1.0.1e but it maybe insecure.
But to be on the safe sdide we recommend to use always the most recent version of openssl (as of 17. Jan 2017 its 1.0.2j and 1.1.0c).
You can do this by compiling it yourself (instead of relying on the version shipped with your linux distribution) or use our statically compiled
version of the netty tcnative openssl library (currently openssl 1.0.2h for SG2 and 1.0.2j for SG5)
Hope this helps
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a1e57b95-2f1a-4e79-8f30-e10f4369c6cd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages