One of the most commonly used pieces of security software is the OpenSSL cryptograhic library. It is used in almost all Linux based systems and it is packaged in a significant number of Windows applications and, of course, used in the Internet of Things devices, as well as various security appliances and VPN firewalls.

OpenSSL is an Open Source Project, one which has – through good reasons – now adopted a formal release model for their various versions.

Support for version 1.0.0 and earlier has already ended. OpenSSL support for version 1.0.1 ends on the 31st December 2016 – the end of this year.

Why is this important?

The OpenSSL library manages the creation and operation of secure network connections.

• It manages the HTTPS bit for most secure web browsing.
• It manages the connections of secure VPNs connecting users into corporate networks.
• It manages the security for administrators remotely logging into linux servers.
• It manages the hashing of passwords.

There is almost nothing in the security space that OpenSSL does not impact. It is a large and complex piece of software, and has been the subject of some of the most highly publicised and critical IT security issues, such as Heartbleed, which have led to a lot of developer effort being expended on it across all of the versions. [Hence the new support plan]

As OpenSSL is used for so many functions, any upgrade has to be taken with extreme caution. Internal testing by Trusted Management indicates that a version upgrade frequently breaks dependencies requiring additional effort to implement workarounds or alternative systems.

• The current major Linux Distributions, with the exception of the latest Ubuntu release, use OpenSSL Version 1.0.1 and thus will require patching.
  For supported distribution versions it is expected, though not confirmed, that these will be available through the repositories.
• Applications on Windows platforms that use the OpenSSL library will need patching.
  These should become available from the software vendor.
• Devices, such as Firewalls and VPN terminators, will need patching.
  These should become available from the vendors for supported devices.
• Internet of Things devices will become increasingly vulnerable if they are not patched.

Failing to patch OpenSSL will leave systems exposed to any vulnerabilities (such as a new Heartbleed) in those systems.

Unpatched systems will also be a major non-compliance on any regulatory or contractually required audits such as PCI-DSS.