OpenSSL Version verification?

I am getting the same error.

Hi @scottl31,

Could you please check which OpenSSL version cURL uses (curl --version) on your server?

Hi,

bash-3.2# curl –version
curl 7.43.0 (x86_64-apple-darwin14.0) libcurl/7.43.0 SecureTransport zlib/1.2.8

looks like it doesn’t use it at all.

• This reply was modified 6 years, 11 months ago by scottl31.

Hi @scottl31
Your website must connect successfully to Wordfence cloud servers in order to get all the plugin features running well. Using an old version of OpenSSL library might affect that, you can double check if there is something wrong in the connectivity between your server and our servers by checking (Wordfence > Tools > Diagnsotics > Connectivity).

On your server, running openssl version should reveal the version of OpenSSl library installed, also you can diagnose your website’s SSL configuration using this tool, check the “OpenSSL” part in the “Handshake Simulation” section as in this screenshot. For more information regarding this version check please review this doc.

Thanks.

Yes, I did that in my first post, here it is again:

bash-3.2# openssl version
OpenSSL 1.0.1l 15 Jan 2015

bash-3.2# which openssl
/usr/bin/openssl

But you guys think I am running version 0.9.8zc. If my server says 1.0.1l, where are you looking that you are getting 0.9.8zc?

Any response possible? WF seems to be looking somewhere else than my server shows.

Hi @scottl31

Since the OpenSSL and cURL command line tools don’t always match the version that PHP was built with. Please follow the link of “Click to view your system’s configuration in a new window” option under (Wordfence > Tools > Diagnostics > Other Tests), check the version of OpenSSL there.

Thanks.

Yes, I already did that and reported above that it indeed says I’m running version 0.9.8zc

But as also stated above, version command shows;

bash-3.2# openssl version
OpenSSL 1.0.1l 15 Jan 2015

So do I have two different OpenSSLs on my server? If so, why can’t I tell WF to look at the 1.0.1l version? Or please tell me where WF is looking and finding 0.9.8zc so I can delete or update it.

Thanks!

Can you please respond to the last post?

I have gotten another warning about it being too old.

But one other thing. I have another different server from the one I’m asking about above. On that one, WF says OK and that I have “LibreSSL 2.2.7”

HOWEVER:

When I check it on command line I get:

bash-3.2# openssl version
OpenSSL 0.9.8zh 14 Jan 2016
bash-3.2# which openssl
/usr/bin/openssl

and this would be a bad version.

So I need to know where WF is looking and how to change it.

I too am having this issue on multiple sites. I don’t have any record of OpenSSL at all, but WordFence indicates that my version is out of date. I don’t have an SSL cert in place, and nothing on my hosting account indicates I’m using Open SSL.

If I scan using the recommended 3rd-party tool (Qualys SSL Labs), I get the following for all affected websites:

Assessed on: Fri, 04 May 2018 11:57:00 UTC
Assessment failed: No secure protocols supported

According to WF diagnostics, it sees Open SSL in use:
OpenSSL 1.0.0-fips 29 Mar 2010 (0x10000003)

Is this a false error?

I just found from another post that updating to PHP 5.6 or higher under “Programming Languages” solves the issue I detailed above.

After the upgrade to PHP 5.6, WF diagnostices indicates:
OpenSSL 1.0.1e-fips 11 Feb 2013 (0x1000105f).

The alert is now gone. Hope this helps!

• This reply was modified 6 years, 10 months ago by greigner.

My last two posts have not been responded to. If anybody has a chance, I’d appreciate it. Thanks!

Scott,

These forums are sort of community driven, so a response from the developer is sometimes hard to get. Did you update your PHP to version 5.6 or higher? PHP and OpenSSL have some type of reliance on each other, so although your host’s server might support a higher version, your installed language (PHP) may not – it could be where the report is coming from. Installing PHP 5.6, 7, 7.1, or 7.2 should provide WF with the correct data.
Good luck!

Are you saying that PHP carries along with it it’s own version of open ssl, regardless of what is installed on the server? If so, it seems confusing and just plain wrong to have two different open ssls running at once.

I can’t update PHP at the moment. I need approval from higher up, which I’m trying to get.

Isn’t there a way to update just the open ssl of the installed version of PHP (5.5). Thanks!

Has there been any workaround meanwhile?

Due to several reasons, we cannot upgrade all our company servers from CentOS5 to a newer version at the moment. Besides technical and ‘lack of time’ issues, this would also involve a significant amount of money to be paid to our web hosters for moving all the servers to new hardware. We are not willing to invest time/efforts/money, just because a WordPress plugin is not satisfied with its installation environment.

Our 3-year Wordfence subscription is running out soon (and the present installation cannot be validated due to this “error” anyways – it just won’t accept/verify our current Premium Code, as Wordfence is unable to connect ‘home’ – therefore the current installation is useless to us). So we will soon have to make a decision on how to proceed.

If there should be no workaround, I would appreciate if the community could point me to / recommend an alternative product. Thank you in advance!