Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > General Support > Topic : Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!

1


Threaded Mode | Print  

 Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!, Webuzo doesn't support most recent OpenSSL version. Seems a deprecated version is used. (15 Replies, Read 883 times)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates.

https://www.openssl.org/news/vulnerabilities-1.0.2.html
We are on march and no OpenSSL update, no support of TLS 1.3The support of TLS 1.3 has been introduced on 2017?https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
Still not supported in Webuzo.
Hope you can asap update OpenSSL.Security are important, i confide in that when I use your panel.
Thank you very much!


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
webuzo must update it's application. The GRADE of  letsencrypt in Webuzo is now B (check on SSL LABS). So it is very important to upgrade ASAP to make it more secure.
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
Quote From : kulonuwun October 14, 2020, 7:35 am
webuzo must update it's application. The GRADE of  letsencrypt in Webuzo is now B (check on SSL LABS). So it is very important to upgrade ASAP to make it more secure.

Webuzo Team really "must" upgrade OpenSSL but you need Centos 8 to use the new OpenSSL so your operative system must be also updated.
Regarding the score B at the moment this is related to your Apache configuration, maybe default Webuzo Apache configuration because I still have A+
You can try to edit your Apache config changing the chippers suite and redoing the scan using clear cache link on top of SSL LABS.
For secure chippers you can get help here: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
Yes i already installed Centos 8 but still got Grade B.

So i want to edit apache configuration using webuzo by following your guidance here :
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6

But i don't know location of letsencrypt path for cert and private key in webuzo :

SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile  /path/to/private_key

I already purchased webuzo license so i hope there is a solution for this.

Thanks
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
You need only change the chipersuite not the patch of the certificate.Can you share your domain here or the link with SSL LABS results so I can take a look where the issue can be?


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
i already submit private ticket #615418 so you can see my domain there.

If possible teach me detail how to edit apache conf to make it Grade A.

I want all of my domain get A grade not just single domain. Should i configure apache for each domain ?

Thanks
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
Hi, the ticket will be review by the Webuzo team.I cannot grant when they will reply but maybe they will.
You need just try to change the Chipers on your Apache if the score is not good and should be a change valid for all domain so you don't need configure for each domain.
First of all backup your Apache config file as text than you can try to search for the line with SSLCipherSuite and replace the fiull line with
Code
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

than you can save and restart Apache and do a new SSL LAB scan.
You can also decide to wait for a reply to your ticket. I'm not part of Webuzo team, I'm just an user.


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
Sorry i can't find SSLCipherSuite text in apache configuration. Check the attachment. Should i add it manuallly ?
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
Try to use the browser search function or copy the Apache text configuration, paste in notepad ++
Chipers suite is present for sure.


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
Yes i knew how to search string.I just attached apache conf so you can check it.
This configuration is standard from webuzo, i don't change anaything
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
Yes i knew how to search string.I just attached apache conf so you can check it.  This configuration is standard from webuzo, i don't change anything
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
Sound strange no chippers suite.Maybe you are using the old Apache?
On the main home of Webuzo in the left search bar digit Apache, you will see two Apache listed.You should install Apache 2.4 that is the most updated, once installed you should make default or you should check the check box to use as default.
Try to see if in this case Chippers are presents, if not you can try to add the relative line always after do a backup of the configuration so you can resume in case of any issue.


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
if you install webuzo from scratch, by default will use apache rather than apache2.
But then  i install apache2 and you can check apache2 default conf on attachment. Still didn't find SSLCipherSuite
I think SSL of letsencrypt is protected by webuzo so maybe it is not possible to modify it just by editing apache2 configuration.
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
peopleinside
Group: Member
Post Group: Super Member
Posts: 1326
Status:
Are you still get score B also with Apache 2.4?If yes and if Chipersuite line is missed you can add it after a backup than you can do a new scan after restart Apache.
I'm using Let's Encrypt on Webuzo, Apache 2.4 and I have A score.I have of curse Chiperssuite line but i customized my Apache to be secure.


-----------------------
PeopleInside  :angel:
Passionate Webuzo User
IP: --   

Obsolete OpenSSL OpenSSL/1.0.2t used by Webuzo. You need update it!
kulonuwun
Group: Member
Post Group: Newbie
Posts: 10
Status:
IT WORKS. Now I get A Grade at SSL Labs

So i just add below line at the end of apache2 configuration then restart server.

SSLCipherSuite         
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Anyway, thanks for your help. I really appreciate it.
IP: --   

« Previous    Next »

Threaded Mode | Print  

1


Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is October 20, 2020, 11:25 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.521