Open SSL?

I received a notice from our PCI Compliance scan that the scan is failing due to Open SSL version 1.1.1

I know my main server doesn’t even have this version installed so I assume this is bundled with Lucee.

If my assumption is correct, will there be an update soon that includes OpenSSL 1.1.1a?



SSL would be handled by your webserver. If you have apache in front, thats where it is. If not, you probably configured ssl in tomcat, which uses apr or java depending on how you configured it.

Regardless, upgrading apache or tomcat is your solution.

1 Like

Thanks Joe.

You are correct. After some more digging Apache is using mod_ssl and I have all the recent updates so I guess I’ll wait for them to fix it or dig into configuring it myself.

I appreciate you pointing me in the right direction.

Will need libssl1.1.1 first! Download it from…

upload to /tmp

cd /tmp

dpkg -i ./libssl1.1_1.1.1b-1_amd64.deb

Also need openssl_1.1.1. Download it from…

upload to /tmp

cd /tmp

dpkg -i ./openssl_1.1.1b-1_amd64.deb

Those two will give you 1.1.1b of OPENSSL and LIBSSL

You might also want to update tcnative. This will give you the standard version 1.1.16…

systemctl stop tomcat

apt install libtcnative-1

To make tomcat stop giving you warnings, install libtcnative as above, then upgrade to 1.1.21 as shown below…
upload to /tmp

cd /tmp

dpkg -i ./libtcnative-1_1.2.21-1_amd64.deb

I have found some distributions keep the same version numbers and just add in patches to fix security problems. You just have to submit proof of the patch.

That’s exactly what I found out as well, kabutotx. I submitted an explanation and proof and an exception was granted.