On Wed, 21 Oct 2015 20:58, Nick Bright <nick.bright at ...> wrote: > On 10/21/2015 1:55 PM, Andrew Holway wrote: >> Personally I would go round to that particular vendors office with a pipe >> wrench and encourage them to do better however, unless this software is >> transmitting credit card information then it seems that you could be >> safe(ish) from the regulation standpoint. It really depends on the location >> of the machine. Is it deep in the bowels of your high security nuclear >> bunker on an air gap network or is is merrily accepting incoming traffic >> from China? Is the software is using an appropriate SELinux policy or is it >> running unconfined or with SELinux turned off? >> >> It seems the PCI-DSS describe a set of simple rules to get IT managers >> thinking but they are somewhat open to interpretation. Are you abiding to >> the spirit of the regulations? > The particular software requiring 0.9.8 is performing backups of the system to > a remote data center. > > My concern is that, with the compatibility package installed, could this > present vulnerabilities or compliance problems in Apache? TL;DR: Preload openssl from non-standard location for closed-source app only. Hmm, how about taking the content of the openssl098e package, put it into a directory relative to the closed source software (e.g. /opt), and create a wrapper script, similar to the following example: [code] #!/usr/bin/bash # This is a wrapper for app to use openssl 0.9.8 (unsafe) # app is in /opt/app/ # app starter is /opt/app/bin/starter # ssl098e libs are in /opt/openssl098/ export LD_LIBRARY_PATH=/opt/openssl098/ exec /opt/app/bin/starter ${1+"$@"} # ${1+"$@"} expands only if at least $1 is present [/code] YMMV - Yamaban.