We are in the process of upgrading from Unidata 8.2.4 to 8.3.2. While the OpenSSL bundled with Unidata has upgraded from v1 to v3 as part of this upgrade, the OpenSSL 3 is still showing vulnerabilities as part of our vulnerability scanning
Our security team are asking if its possible for Unidata to use the version of OpenSSL thats installed as part of the Red Hat Linux and kept up to date via patching.
Is this possible? Is it a god/bad idea? Is there a clear process for doing this?
+1This is covered in the Security features guide, though I recommend contacting Rocket Support with specific reported vulnerabilities as some are theoretical only and not applicable to a UniData security environment. (This sort of query has coime up previously...) :
Chapter 9: Upgrading OpenSSL to a minor version
You can upgrade OpenSSL to a minor version for use with UniData.
Upgrading a minor version means that the upgraded version of the API is compatible with the release
version of the API. For example: upgrading from OpenSSL 1.1.1n to OpenSSL 1.1.1o, 1.1.1p, and so on.
These new letter releases are typically patches to the same version and are compatible. It also means
we do not support upgrading OpenSSL from version 1.0.2 to 1.1.1 (or other major version changes)
because the API is incompatible.
There are multiple options for upgrading OpenSSL without having to change any server code.
Option 1
Set an environment variable ($U2_USE_SSL_PATH) to specify the path.
For Linux, Solaris, and HP:
>setenv U2_USE_SSL_PATH /home/mybuild/latest_openssl
>env
U2_USE_SSL_PATH=/home/mybuild/latest_openssl
For Windows:
1. From the Windows Control Panel, select System and Security → System and click Advanced
Settings.
2. Click Environment Variables to define a variable name and value.variable name:
variable name: U2_USE_SSL_PATH
variable value: C:\mybuild\latest_openssl
Option 2
For Windows, Linux, Solaris, and HP:
Set the path into a fixed file (SSL_VERSION_PATH) under $UDTHOME.
> cd $UDTHOME
> cat SSL_VERSION_PATH
/home/mybuild/latest_openssl
Default settings
If both option 1 and option 2 are set at the same time, option 1 is used and option 2 is ignored. If both
of option 1 and option 2 are not set, the default release version is used.
Note: Regardless of whether you chose option 1 or option 2, you must stop and restart UniData on
the server side for the newly specified version to take effect.
Hope this helps.
JJ
Hi John. Thanks for your reply. I was looking at the security manual for 8.3.2 and saw this section but was not entirely sure if this was what I needed
So If I look to use option 2 above its literally as simple as creating the file SSL_VERSION_PATH within $UDTHOME and pointing to the OS version of OpenSSL. There are no other stepts after that?
Are there potentially any unintended side effects in Unidata as you are no longer using the bundled version of OpenSSL and you are instead using a version of OpenSSL that changes as you path the OS?
+1Hi,
That should be sufficient - though if you hit an obscure SSL problem then Rocket Support may ask you to reproduce the issue with the UniData-supplied version of OpenSSL - or at least produce a free-standing test case that shows the issue - and whether OpenSSL version dependent.
Please note that while Roket supports the use of OpenSSLm Rocket do not own or maintain OpenSSL itself.
Regards
JJ
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
77 4th Avenue
Waltham, MA 02451 USA
