Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

You are here: Index > Webuzo > General Support > Topic : Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

Threaded Mode | Print

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!, Webuzo doesn't support most recent OpenSSL version. Seems a deprecated version is used. (15 Replies, Read 136594 times)

peopleinside	# March 30, 2020, 8:47 pm
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates. https://www.openssl.org/news/vulnerabilities-1.0.2.html We are on march and no OpenSSL update, no support of TLS 1.3The support of TLS 1.3 has been introduced on 2017?https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ Still not supported in Webuzo. Hope you can asap update OpenSSL.Security are important, i confide in that when I use your panel. Thank you very much! ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 7:35 am \| Post: 1
Group: Member Post Group: Newbie Posts: 10 Status:	webuzo must update it's application. The GRADE of letsencrypt in Webuzo is now B (check on SSL LABS). So it is very important to upgrade ASAP to make it more secure.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

peopleinside	# October 14, 2020, 9:30 am \| Post: 2
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Quote From : kulonuwun October 14, 2020, 7:35 am webuzo must update it's application. The GRADE of letsencrypt in Webuzo is now B (check on SSL LABS). So it is very important to upgrade ASAP to make it more secure. Webuzo Team really "must" upgrade OpenSSL but you need Centos 8 to use the new OpenSSL so your operative system must be also updated. Regarding the score B at the moment this is related to your Apache configuration, maybe default Webuzo Apache configuration because I still have A+ You can try to edit your Apache config changing the chippers suite and redoing the scan using clear cache link on top of SSL LABS. For secure chippers you can get help here: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 10:05 am \| Post: 3
Group: Member Post Group: Newbie Posts: 10 Status:	Yes i already installed Centos 8 but still got Grade B. So i want to edit apache configuration using webuzo by following your guidance here : https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 But i don't know location of letsencrypt path for cert and private key in webuzo : SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams SSLCertificateKeyFile /path/to/private_key I already purchased webuzo license so i hope there is a solution for this. Thanks
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

peopleinside	# October 14, 2020, 10:09 am \| Post: 4
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	You need only change the chipersuite not the patch of the certificate.Can you share your domain here or the link with SSL LABS results so I can take a look where the issue can be? ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 10:19 am \| Post: 5
Group: Member Post Group: Newbie Posts: 10 Status:	i already submit private ticket #615418 so you can see my domain there. If possible teach me detail how to edit apache conf to make it Grade A. I want all of my domain get A grade not just single domain. Should i configure apache for each domain ? Thanks
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

peopleinside	# October 14, 2020, 10:23 am \| Post: 6
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Hi, the ticket will be review by the Webuzo team.I cannot grant when they will reply but maybe they will. You need just try to change the Chipers on your Apache if the score is not good and should be a change valid for all domain so you don't need configure for each domain. First of all backup your Apache config file as text than you can try to search for the line with SSLCipherSuite and replace the fiull line with Code SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 HE-RSA-AES128-GCM-SHA256 HE-RSA-AES256-GCM-SHA384 than you can save and restart Apache and do a new SSL LAB scan. You can also decide to wait for a reply to your ticket. I'm not part of Webuzo team, I'm just an user. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 10:31 am \| Post: 7
Group: Member Post Group: Newbie Posts: 10 Status:	Sorry i can't find SSLCipherSuite text in apache configuration. Check the attachment. Should i add it manuallly ?
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

peopleinside	# October 14, 2020, 11:05 am \| Post: 8
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Try to use the browser search function or copy the Apache text configuration, paste in notepad ++ Chipers suite is present for sure. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 11:11 am \| Post: 9
Group: Member Post Group: Newbie Posts: 10 Status:	Yes i knew how to search string.I just attached apache conf so you can check it. This configuration is standard from webuzo, i don't change anaything
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 11:12 am \| Post: 10
Group: Member Post Group: Newbie Posts: 10 Status:	Yes i knew how to search string.I just attached apache conf so you can check it. This configuration is standard from webuzo, i don't change anything
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

peopleinside	# October 14, 2020, 11:19 am \| Post: 11
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Sound strange no chippers suite.Maybe you are using the old Apache? On the main home of Webuzo in the left search bar digit Apache, you will see two Apache listed.You should install Apache 2.4 that is the most updated, once installed you should make default or you should check the check box to use as default. Try to see if in this case Chippers are presents, if not you can try to add the relative line always after do a backup of the configuration so you can resume in case of any issue. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 11:40 am \| Post: 12
Group: Member Post Group: Newbie Posts: 10 Status:	if you install webuzo from scratch, by default will use apache rather than apache2. But then i install apache2 and you can check apache2 default conf on attachment. Still didn't find SSLCipherSuite I think SSL of letsencrypt is protected by webuzo so maybe it is not possible to modify it just by editing apache2 configuration.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

peopleinside	# October 14, 2020, 11:43 am \| Post: 13
Group: Member Post Group: Super Member Posts: 1394 Status: Open source, web and security passionate	Are you still get score B also with Apache 2.4?If yes and if Chipersuite line is missed you can add it after a backup than you can do a new scan after restart Apache. I'm using Let's Encrypt on Webuzo, Apache 2.4 and I have A score.I have of curse Chiperssuite line but i customized my Apache to be secure. ----------------------- PeopleInside Web, security, open source passionate.
IP: --

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

kulonuwun	# October 14, 2020, 11:55 am \| Post: 14
Group: Member Post Group: Newbie Posts: 10 Status:	IT WORKS. Now I get A Grade at SSL Labs So i just add below line at the end of apache2 configuration then restart server. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 HE-RSA-AES128-GCM-SHA256 HE-RSA-AES256-GCM-SHA384 Anyway, thanks for your help. I really appreciate it.
IP: --

« Previous Next »

Threaded Mode | Print

Jump To :

Users viewing this topic
	1 guests, 0 users.

All times are GMT. The time now is April 18, 2024, 10:41 am.

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.

Queries: 11 | Page Created In:0.352