I received a notice from our PCI Compliance scan that the scan is failing due to Open SSL version 1.1.1
I know my main server doesn’t even have this version installed so I assume this is bundled with Lucee.
If my assumption is correct, will there be an update soon that includes OpenSSL 1.1.1a?
Thanks!
Jeff
SSL would be handled by your webserver. If you have apache in front, thats where it is. If not, you probably configured ssl in tomcat, which uses apr or java depending on how you configured it.
Regardless, upgrading apache or tomcat is your solution.
Thanks Joe.
You are correct. After some more digging Apache is using mod_ssl and I have all the recent updates so I guess I’ll wait for them to fix it or dig into configuring it myself.
I appreciate you pointing me in the right direction.
Will need libssl1.1.1 first! Download it from…
https://packages.debian.org/sid/amd64/libssl1.1/download
upload to /tmp
cd /tmp
dpkg -i ./libssl1.1_1.1.1b-1_amd64.deb
Also need openssl_1.1.1. Download it from…
https://packages.debian.org/sid/amd64/openssl/download
upload to /tmp
cd /tmp
dpkg -i ./openssl_1.1.1b-1_amd64.deb
Those two will give you 1.1.1b of OPENSSL and LIBSSL
You might also want to update tcnative. This will give you the standard version 1.1.16…
systemctl stop tomcat
apt install libtcnative-1
To make tomcat stop giving you warnings, install libtcnative as above, then upgrade to 1.1.21 as shown below…
https://packages.debian.org/sid/amd64/libtcnative-1/download
upload to /tmp
cd /tmp
dpkg -i ./libtcnative-1_1.2.21-1_amd64.deb
I have found some distributions keep the same version numbers and just add in patches to fix security problems. You just have to submit proof of the patch.
That’s exactly what I found out as well, kabutotx. I submitted an explanation and proof and an exception was granted.