CentOS - Oct 2015 - Security implications of openssl098e on CentOS 7

Greetings,

I'm working with a new CentOS 7 installation, moving a system up from 
CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance 
requirements.

However, while setting up the CentOS 7 environment one of the closed 
source applications is requiring 0.9.8. The software vendor has advised 
installing package openssl098e from yum; but I'm hesitant to do so from 
a compliance and security perspective.

What are the implications of this compatibility package? What does it 
provide/do?

Thank you,

-- 
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet -=- We Connect You -=-              -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information & 30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------

This email message and any attachments are intended solely for the use of the
addressees hereof. This message and any attachments may contain information that
is confidential, privileged and exempt from disclosure under applicable law. If
you are not the intended recipient of this message, you are prohibited from
reading, disclosing, reproducing, distributing, disseminating or otherwise using
this transmission. If you have received this message in error, please promptly
notify the sender by reply E-mail and immediately delete this message from your
system.

Personally I would go round to that particular vendors office with a pipe
wrench and encourage them to do better however, unless this software is
transmitting credit card information then it seems that you could be
safe(ish) from the regulation standpoint. It really depends on the location
of the machine. Is it deep in the bowels of your high security nuclear
bunker on an air gap network or is is merrily accepting incoming traffic
from China? Is the software is using an appropriate SELinux policy or is it
running unconfined or with SELinux turned off?

It seems the PCI-DSS describe a set of simple rules to get IT managers
thinking but they are somewhat open to interpretation. Are you abiding to
the spirit of the regulations?



On 21 October 2015 at 13:18, Nick Bright <nick.bright at valnet.net>
wrote:
> Greetings,
>
> I'm working with a new CentOS 7 installation, moving a system up from
> CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance
> requirements.
>
> However, while setting up the CentOS 7 environment one of the closed
> source applications is requiring 0.9.8. The software vendor has advised
> installing package openssl098e from yum; but I'm hesitant to do so from
a
> compliance and security perspective.
>
> What are the implications of this compatibility package? What does it
> provide/do?
>
> Thank you,
>
> --
> -----------------------------------------------
> -  Nick Bright                                -
> -  Vice President of Technology               -
> -  Valnet -=- We Connect You -=-              -
> -  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
> -  Web http://www.valnet.net/                 -
> -----------------------------------------------
> - Are your files safe?                        -
> - Valnet Vault - Secure Cloud Backup          -
> - More information & 30 day free trial at     -
> - http://www.valnet.net/services/valnet-vault -
> -----------------------------------------------
>
> This email message and any attachments are intended solely for the use of
> the addressees hereof. This message and any attachments may contain
> information that is confidential, privileged and exempt from disclosure
> under applicable law. If you are not the intended recipient of this
> message, you are prohibited from reading, disclosing, reproducing,
> distributing, disseminating or otherwise using this transmission. If you
> have received this message in error, please promptly notify the sender by
> reply E-mail and immediately delete this message from your system.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On 10/21/2015 1:55 PM, Andrew Holway wrote:
> Personally I would go round to that particular vendors office with a pipe
> wrench and encourage them to do better however, unless this software is
> transmitting credit card information then it seems that you could be
> safe(ish) from the regulation standpoint. It really depends on the location
> of the machine. Is it deep in the bowels of your high security nuclear
> bunker on an air gap network or is is merrily accepting incoming traffic
> from China? Is the software is using an appropriate SELinux policy or is it
> running unconfined or with SELinux turned off?
>
> It seems the PCI-DSS describe a set of simple rules to get IT managers
> thinking but they are somewhat open to interpretation. Are you abiding to
> the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the 
system to a remote data center.

My concern is that, with the compatibility package installed, could this 
present vulnerabilities or compliance problems in Apache?

-- 
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet -=- We Connect You -=-              -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information & 30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------

This email message and any attachments are intended solely for the use of the
addressees hereof. This message and any attachments may contain information that
is confidential, privileged and exempt from disclosure under applicable law. If
you are not the intended recipient of this message, you are prohibited from
reading, disclosing, reproducing, distributing, disseminating or otherwise using
this transmission. If you have received this message in error, please promptly
notify the sender by reply E-mail and immediately delete this message from your
system.

Remember that rhel/centos backports fixes, so just looking version number
is not reliable way to detect security issues.

Eero

2015-10-21 21:18 GMT+03:00 Nick Bright <nick.bright at valnet.net>:
> Greetings,
>
> I'm working with a new CentOS 7 installation, moving a system up from
> CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance
> requirements.
>
> However, while setting up the CentOS 7 environment one of the closed
> source applications is requiring 0.9.8. The software vendor has advised
> installing package openssl098e from yum; but I'm hesitant to do so from
a
> compliance and security perspective.
>
> What are the implications of this compatibility package? What does it
> provide/do?
>
> Thank you,
>
> --
> -----------------------------------------------
> -  Nick Bright                                -
> -  Vice President of Technology               -
> -  Valnet -=- We Connect You -=-              -
> -  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
> -  Web http://www.valnet.net/                 -
> -----------------------------------------------
> - Are your files safe?                        -
> - Valnet Vault - Secure Cloud Backup          -
> - More information & 30 day free trial at     -
> - http://www.valnet.net/services/valnet-vault -
> -----------------------------------------------
>
> This email message and any attachments are intended solely for the use of
> the addressees hereof. This message and any attachments may contain
> information that is confidential, privileged and exempt from disclosure
> under applicable law. If you are not the intended recipient of this
> message, you are prohibited from reading, disclosing, reproducing,
> distributing, disseminating or otherwise using this transmission. If you
> have received this message in error, please promptly notify the sender by
> reply E-mail and immediately delete this message from your system.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On 10/21/2015 2:34 PM, Eero Volotinen wrote:
> Remember that rhel/centos backports fixes, so just looking version 
> number is not reliable way to detect security issues.
>
> Eero
Indeed, though I can say on CentOS 5 the required configuration to be 
PCI compliand is not valid in apache, and httpd will not start.

-- 
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet -=- We Connect You -=-              -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information & 30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------

This email message and any attachments are intended solely for the use of the
addressees hereof. This message and any attachments may contain information that
is confidential, privileged and exempt from disclosure under applicable law. If
you are not the intended recipient of this message, you are prohibited from
reading, disclosing, reproducing, distributing, disseminating or otherwise using
this transmission. If you have received this message in error, please promptly
notify the sender by reply E-mail and immediately delete this message from your
system.

On 10/22/2015 07:18 AM, Nick Bright wrote:
> Greetings,
> 
> I'm working with a new CentOS 7 installation, moving a system up from
> CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance
> requirements.
> 
> However, while setting up the CentOS 7 environment one of the closed
> source applications is requiring 0.9.8. The software vendor has advised
> installing package openssl098e from yum; but I'm hesitant to do so from
> a compliance and security perspective.
> 
> What are the implications of this compatibility package? What does it
> provide/do?
openssl098e appears to be parallel-installable, that is you can safely
install both it and openssl on the same system and they should not
clash.  As others have stated since it's supported by RedHat it will get
backports of security fixes for some time to come, although it will
likely not be PCI compliant because (I think, could be wrong here) it
won't support TLS1.1 or 1.2.

You can install it, restart apache and then easily check to see if it's
affecting apache by using openssl s_client to attempt a TLS1.2
connection to your web server, then if that works run the tests at
https://www.ssllabs.com/ssltest/index.html, that should tell you
everything you need to know.


Peter