Taking a closer look at Linux distributions for NGINX, Curl and OpenSSL for Domino
Daniel Nashed – 6 October 2022 08:06:32
Martijn wrote an interesting post about NGINX versions
(https://blog.martdj.nl/2022/08/26/nginx-as-reverse-proxy-on-centos-9-stream-a-problematic-combination/)
This inspired me to take a closer look into important software included in current Linux distributions.
In an earlier post I already showed how to update curl on Windows 11
(https://blog.nashcom.de/nashcomblog.nsf/dx/replace-curl-shipped-with-windows-with-a-recent-version-not-build-by-microsoft.htm)
So the next step would be to look into Linux distributions.
Linux distributions
I took the current Docker images for the main distributions and checked the NGINX, OpenSSL and LibCurl/Curl version.
There is a dependency between LibCurl and OpenSSL when installed out of the box. All Linux platforms compile and ship LibCurl matching to the OpenSSL version on the platform.
Only when downloading LibCurl or other applications separately, there is a specific OpenSSL version usually bundled with the application.
Usually applications add libs to their application directory. This is often needed to run applications on different versions of the OS.
But it also means security patching your OS does not update important packages like OpenSSL, that are bundled with your applications!!
Many vendors lag behind patching their libs and they are also staying on older major releases for a long time.
On the other side it is not wise for an application vendor to rely on the OpenSSL version shipped with the OS.
Specially when supporting multiple Linux distributions and versions.
LibCurl and OpenSSL
Domino 12.0.1 ships with a matching OpenSSL 1.1.1 version in a separate lib / DLL in the Domino program directory.
LibCurl is linked directly into core Notes/Domino since Domino 10.x.
Linking code directly into a core application reduces conflict with other applications and also reduces the number of open files (each process would need file handles to open a Lib).
In addition this is also more secure, because nobody could sneak in a different Lib pretending to be the binary Domino expects to load.
Domino 12.0.2 links with OpenSSL 3.0.x and is not loading it dynamically.
Beginning with Domino 12.0.2 the new OpenSSL 3.0.x major version is linked into core Notes/Domino as well.
This means two important components are directly glued into core Domino.
Software versions in current Linux distributions
Lets take a look into the different distributions ship today and see which might fit best from security point of view.
There is one special platform: openSUSE installs OpenSSL 1.1.1 out of the box and you can manually install OpenSSL 3.0.x (openssl-3). That's why I listed both versions.
You might be surprised that version included in Domino 12.0.2 is even newer then the most current Linux distribution.
I marked really outdated versions which are problematic in red.
And I marked older versions in the corresponding major versions in yellow.
So a fully patched OpenSSL 1.1.1 version can be green. And an older OpenSSL 3.0.x version can be yellow.
Product | NGINX Version | OpenSSL Version | LibCurl/Curl Version | |
NGINX Docker Image | 1.23.1 | 1.1.1n, -- 15 Mar 2022 | 7.74.0 | |
VMware Photon OS/Linux 4.0 | 1.22.0 | 3.0.3 - 3 May 2022 | 7.83.1 | |
openSUSE Leap 15.4 | 1.21.5 | 1.1.1l -- 24 Aug 2021, 3.0.1 -- 14 Dec 2021 | 7.79.1 | |
Red Hat Enterprise Linux 9 UBI | 1.20.1 | 3.0.1 -- 14 Dec 2021 | 7.76.1 | |
Ubuntu 22.04.1 LTS (Jammy Jellyfish) | 1.18.0 | 3.0.2 -- 15 Mar 2022 | 7.81.0 | |
Debian GNU/Linux 11 (bullseye) | 1.18.0 | 1.1.1n -- 15 Mar 2022 | 7.74.0 | |
Oracle Linux 9 | 1.20.1 | 3.0.1 -- 14 Dec 2021 | 7.76.1 | |
Domino 12.0.2 | - | 3.0.5 -- 5 Jul 2022 | 7.83.0 |
Updated: 01.09.2022 --> I will recheck this periodically. Maybe with Docker automation
When you look at the Docker base images for the different Linux distributions we have a clear winner today: VMware Photon OS 4.0!
- VMware Photon OS 4.0
is up to date for all the three software packages we looked into.
- openSUSE Leap 15.4
is also a good choice -- and I hope they update their Curl version soon.
- Ubuntu
A good choice if you don't care about NGINX
A good way to run NGINX in an up to date version is a dedicated Docker container with the official image --> https://hub.docker.com/_/nginx/.
This would give you always the latest version of NGINX and an update is easy to deploy. The older version of Curl should not be an issue, because the NGINX binaries are not using it (checked with ldd).
But for OpenSSL and LibCurl you are really depending on the base OS for the most critical parts like OpenSSH.
This is even more important on a Linux machine than on a Docker container image.
The Docker image runs locally and is usually protected by the base image.
- Comments [3]