How to update OpenSSL

Hello,

Website Cloudflare SSL/TLS encryption mode is set to “Full”.

Our payment provided asked us to use the OpenSSL version of 1.1.11.

How update OpenSSL to the version of 1.1.11?

Thank you!
Alex

Was that just a general recommendation from them or was an actual problem found (like in a vulnerability scan)? In short, OpenSSL is something that would be installed on your server. It’s likely to be used by the web server you are running. Whether it is up to you to update depends on what kind of hosting you have (your own server / virtual machine that you manage yourself vs. hosting package for example). It’s not directly related to your Cloudflare setup, so it’s hard to provide specific advice.

1 Like

Thank you for your reply Svanlund.

Payment provider says that we must have OpenSSL 1.1.11 installed for them to work on our website.

I found a place on the hosting service website to install an SSL Certificate - is that that place to add OpenSSL 1.1.11?

Thank you,
Alex

Actually, OpenSSL doesn’t have anything to do with your certificate. It’s essentially a software library installed on the server itself that is used behind the scenes. It sounds a bit strange that a specific version would be required for someone to provide their service. Is this a software-as-a-service type offering or do you need to run payment provider code on the server itself? Then maybe I can understand why someone would care about the exact version :smiley:

There doesn’t seem to be an OpenSSL 1.1.11 release by the way. The latest one from August has a really similar name though: Release OpenSSL_1_1_1l · openssl/openssl · GitHub

Is there any information about this requirement that you can share? Like is your payment provider stating it in their documentation or similar?

2 Likes

Got response from payment provider:

From our investigation, this issue appears to stem from a planned expiration of a root certificate by Let’s Encrypt on 09-30-2021 and moving to their own root certificate for trust. Our technical team says that you have openssl 1.0.2-fips installed. You would want to follow Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog to fix or update OpenSSL to v1.1.11 LTS, v3.0.0, or the latest FIPS version.

The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts ISRG’s “ISRG Root X1” certificate. Prior to September 2021, some platforms could validate our certificates even though they don’t include ISRG Root X1, because they trusted IdenTrust’s “DST Root CA X3" certificate. From October 2021 onwards, only those platforms that trust ISRG Root X1 will validate Let’s Encrypt certificates (with the exception of Android).

We encourage our merchants/partners/integrators to update their platforms to one that is compatible with the new certificate.

What would you suggest?

Thank you,
Alex

2 Likes

Good question. I’m wondering whether you are the server or the client here.

They are connecting to you = You are the server. Your certificate matters. Use Workaround 3, which is essentially what @sdayman mentioned. This might be the most likely case based on what you have shared so far.

You are connecting to the payment provider = Your server is running some code on the server side (not Javascript in the browser) that is connecting to the payment provider. Then Workaround 1 would be relevant, but that assumes a certain level of control over the server. If you don’t manage it yourself (with SSH access for example) then it is more of a question to your provider.

1 Like

You currently have a security issue.

2 Likes

Oh my, if their payment provider finds out they’re running with an invalid TLS/SSL cert on their server, I can’t imagine they’ll be happy about that.

2 Likes
  1. Hosting Provider > Added domain
  2. Cloudflare > DNS > Created A record pointing to Hosting Provider IP.
  3. Cloudflare>SSL/TLS>Origin Server>Created Certificate.
  4. Hosting Provider > Added external Cloudflare SSL Certificate (Certificate and Private Key).
  5. Cloudflare > SSL/TLS > Overview > Set SSL/TLS encryption mode to Full

Am I missing something?

Thank you,
Alex

Off to a great start. #5 should be Full (Strict). Just plain “Full” will accept completely invalid certificates (wrong domain, expired, self-signed, etc).

2 Likes

I changed #5 to “Full (strict)”.

#4 - I only added to Hosting provider “Certificate” and “Key” since Cloudflare doesn’t provide “CA Bundle / Intermediate Certificate”.

That’s all I’ve ever done and it’s been sufficient. But the intermediate certificate is available here:
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca#4-required-for-some-add-cloudflare-origin-ca-root-certificates

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.