[CentOS] Security implications of openssl098e on CentOS 7

Wed Oct 21 20:12:20 UTC 2015
Peter <peter at pajamian.dhs.org>

On 10/22/2015 07:18 AM, Nick Bright wrote:
> Greetings,
> 
> I'm working with a new CentOS 7 installation, moving a system up from
> CentOS 5 due to OpenSSL version 0.9.8e not meeting PCI Compliance
> requirements.
> 
> However, while setting up the CentOS 7 environment one of the closed
> source applications is requiring 0.9.8. The software vendor has advised
> installing package openssl098e from yum; but I'm hesitant to do so from
> a compliance and security perspective.
> 
> What are the implications of this compatibility package? What does it
> provide/do?

openssl098e appears to be parallel-installable, that is you can safely
install both it and openssl on the same system and they should not
clash.  As others have stated since it's supported by RedHat it will get
backports of security fixes for some time to come, although it will
likely not be PCI compliant because (I think, could be wrong here) it
won't support TLS1.1 or 1.2.

You can install it, restart apache and then easily check to see if it's
affecting apache by using openssl s_client to attempt a TLS1.2
connection to your web server, then if that works run the tests at
https://www.ssllabs.com/ssltest/index.html, that should tell you
everything you need to know.


Peter