Greetings,
I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements.
However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor has advised installing package openssl098e from yum; but I'm hesitant to do so from a compliance and security perspective.
What are the implications of this compatibility package? What does it provide/do?
Thank you,
Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this software is transmitting credit card information then it seems that you could be safe(ish) from the regulation standpoint. It really depends on the location of the machine. Is it deep in the bowels of your high security nuclear bunker on an air gap network or is is merrily accepting incoming traffic from China? Is the software is using an appropriate SELinux policy or is it running unconfined or with SELinux turned off?
It seems the PCI-DSS describe a set of simple rules to get IT managers thinking but they are somewhat open to interpretation. Are you abiding to the spirit of the regulations?
On 21 October 2015 at 13:18, Nick Bright nick.bright@valnet.net wrote:
Greetings,
I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements.
However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor has advised installing package openssl098e from yum; but I'm hesitant to do so from a compliance and security perspective.
What are the implications of this compatibility package? What does it provide/do?
Thank you,
--
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information & 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 10/21/2015 1:55 PM, Andrew Holway wrote:
Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this software is transmitting credit card information then it seems that you could be safe(ish) from the regulation standpoint. It really depends on the location of the machine. Is it deep in the bowels of your high security nuclear bunker on an air gap network or is is merrily accepting incoming traffic from China? Is the software is using an appropriate SELinux policy or is it running unconfined or with SELinux turned off?
It seems the PCI-DSS describe a set of simple rules to get IT managers thinking but they are somewhat open to interpretation. Are you abiding to the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the system to a remote data center.
My concern is that, with the compatibility package installed, could this present vulnerabilities or compliance problems in Apache?
I would guess the only way to ascertain that is with some rigorous testing. Personally I find an alternative backup method.
On 21 October 2015 at 13:58, Nick Bright nick.bright@valnet.net wrote:
On 10/21/2015 1:55 PM, Andrew Holway wrote:
Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this software is transmitting credit card information then it seems that you could be safe(ish) from the regulation standpoint. It really depends on the location of the machine. Is it deep in the bowels of your high security nuclear bunker on an air gap network or is is merrily accepting incoming traffic from China? Is the software is using an appropriate SELinux policy or is it running unconfined or with SELinux turned off?
It seems the PCI-DSS describe a set of simple rules to get IT managers thinking but they are somewhat open to interpretation. Are you abiding to the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the system to a remote data center.
My concern is that, with the compatibility package installed, could this present vulnerabilities or compliance problems in Apache?
--
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information & 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Nick Bright wrote:
On 10/21/2015 1:55 PM, Andrew Holway wrote:
Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this
<snip>
It seems the PCI-DSS describe a set of simple rules to get IT managers thinking but they are somewhat open to interpretation. Are you abiding to the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the system to a remote data center.
My concern is that, with the compatibility package installed, could this present vulnerabilities or compliance problems in Apache?
Question: is the b/u software pulling, or pushing? If the latter, I think you could run it for the one IP that they back up to, and not as a daemon, and outbound only.
And then I'd tell them that the backup site was insecure, and not meeting requirements, and that you'd stand 5cm in front of your manager's desk, and tell him that y'all needed to look for a new vendor, one that wasn't helping crackers get into your backup data.
mark
On Wed, 21 Oct 2015 20:58, Nick Bright <nick.bright@...> wrote:
On 10/21/2015 1:55 PM, Andrew Holway wrote:
Personally I would go round to that particular vendors office with a pipe wrench and encourage them to do better however, unless this software is transmitting credit card information then it seems that you could be safe(ish) from the regulation standpoint. It really depends on the location of the machine. Is it deep in the bowels of your high security nuclear bunker on an air gap network or is is merrily accepting incoming traffic from China? Is the software is using an appropriate SELinux policy or is it running unconfined or with SELinux turned off?
It seems the PCI-DSS describe a set of simple rules to get IT managers thinking but they are somewhat open to interpretation. Are you abiding to the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the system to a remote data center.
My concern is that, with the compatibility package installed, could this present vulnerabilities or compliance problems in Apache?
TL;DR: Preload openssl from non-standard location for closed-source app only.
Hmm, how about taking the content of the openssl098e package, put it into a directory relative to the closed source software (e.g. /opt), and create a wrapper script, similar to the following example:
[code] #!/usr/bin/bash # This is a wrapper for app to use openssl 0.9.8 (unsafe) # app is in /opt/app/ # app starter is /opt/app/bin/starter # ssl098e libs are in /opt/openssl098/
export LD_LIBRARY_PATH=/opt/openssl098/ exec /opt/app/bin/starter ${1+"$@"} # ${1+"$@"} expands only if at least $1 is present [/code]
YMMV
- Yamaban.
On 10/21/2015 12:20 PM, Yamaban wrote:
TL;DR: Preload openssl from non-standard location for closed-source app only.
Hmm, how about taking the content of the openssl098e package, put it into a directory relative to the closed source software (e.g. /opt),
Totally unnecessary. The openssl098e libraries do not conflict with the libraries in openssl-libs. They will not be used by anything except binaries that were linked against openssl 0.9.8e at compile time.
Remember that rhel/centos backports fixes, so just looking version number is not reliable way to detect security issues.
Eero
2015-10-21 21:18 GMT+03:00 Nick Bright nick.bright@valnet.net:
Greetings,
I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements.
However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor has advised installing package openssl098e from yum; but I'm hesitant to do so from a compliance and security perspective.
What are the implications of this compatibility package? What does it provide/do?
Thank you,
--
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information & 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 10/21/2015 2:34 PM, Eero Volotinen wrote:
Remember that rhel/centos backports fixes, so just looking version number is not reliable way to detect security issues.
Eero
Indeed, though I can say on CentOS 5 the required configuration to be PCI compliand is not valid in apache, and httpd will not start.
Ok, I just forget that latest PCI DSS standard requires TLSv1.2 that is not supported under CentOS/RHEL 5.
So, you are using https to transfer credit card data?
-- Eero
2015-10-21 22:37 GMT+03:00 Nick Bright nick.bright@valnet.net:
On 10/21/2015 2:34 PM, Eero Volotinen wrote:
Remember that rhel/centos backports fixes, so just looking version number is not reliable way to detect security issues.
Eero
Indeed, though I can say on CentOS 5 the required configuration to be PCI compliand is not valid in apache, and httpd will not start.
--
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information & 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 10/22/2015 07:18 AM, Nick Bright wrote:
Greetings,
I'm working with a new CentOS 7 installation, moving a system up from CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance requirements.
However, while setting up the CentOS 7 environment one of the closed source applications is requiring 0.9.8. The software vendor has advised installing package openssl098e from yum; but I'm hesitant to do so from a compliance and security perspective.
What are the implications of this compatibility package? What does it provide/do?
openssl098e appears to be parallel-installable, that is you can safely install both it and openssl on the same system and they should not clash. As others have stated since it's supported by RedHat it will get backports of security fixes for some time to come, although it will likely not be PCI compliant because (I think, could be wrong here) it won't support TLS1.1 or 1.2.
You can install it, restart apache and then easily check to see if it's affecting apache by using openssl s_client to attempt a TLS1.2 connection to your web server, then if that works run the tests at https://www.ssllabs.com/ssltest/index.html, that should tell you everything you need to know.
Peter
-
Andrew Holway -
Eero Volotinen -
Gordon Messmer -
Leonard den Ottolander -
m.roth@5-cent.us -
Nick Bright -
Peter -
Yamaban