Page 1 of 1

OpenSSL Upgrades in the works for Webhosting and email?

Posted: Wed Apr 09, 2014 5:45 pm
by sbrook
I gather that Open SSL has been patched to 1.*.* to avoid the HeartBleed vulnerability.

Do you have plans to upgrade it on your Webhosting and Mail servers soon?

Thanks.

Re: OpenSSL Upgrades in the works for Webhosting and email?

Posted: Wed Apr 09, 2014 6:18 pm
by porcupine
sbrook wrote:I gather that Open SSL has been patched to 1.*.* to avoid the HeartBleed vulnerability.

Do you have plans to upgrade it on your Webhosting and Mail servers soon?

Thanks.
The reseller servers run CPanel/WHM, which means each unique server (www2 through www7) provides both http, and mail services (along with ftp, mysql, dns, etc.).

None of these servers were impacted by the Heartbleed vulnerability to start with, as they're running the previous versions of OpenSSL (as they're CentOS 5.x based, and that vulnerability was specific to 6.5). All servers have been checked (just in case), found not to be vulnerable, and it shouldn't present an issue.

Re: OpenSSL Upgrades in the works for Webhosting and email?

Posted: Wed Apr 09, 2014 6:37 pm
by sbrook
Sounds good to me. So, it was an Open SSL upgrade that went wrong ... fair enough :-)

Even though they're no longer using SSL, because they can't make the security requirements of their credit card processor in other ways, they wanted the reassurance in case they want me to implement encryption for other form data. (We're talking through that now)

Re: OpenSSL Upgrades in the works for Webhosting and email?

Posted: Wed Apr 09, 2014 10:11 pm
by porcupine
sbrook wrote:Sounds good to me. So, it was an Open SSL upgrade that went wrong ... fair enough :-)

Even though they're no longer using SSL, because they can't make the security requirements of their credit card processor in other ways, they wanted the reassurance in case they want me to implement encryption for other form data. (We're talking through that now)
Actually, that's a big part of the scare/hype out there. The vulnerable version of OpenSSL has been vulnerable (in theory) for roughly 2 years, it's nothing new, just something that was newly discovered.