OpenSSL Version verification?

@scottl31:

No, I’m saying that OpenSSL relies upon PHP (they work together). You can’t update just one thing to a brand new version, and still have things function. It’s time to update both things to the same level.

Picture it just like other software. You can’t run the newest version of QuickBooks on Windows Vista. You have to upgrade Windows so that QuickBooks will work. You must upgrade PHP in order for the current version of OpenSSL to work.

– Your host supports the current version of OpenSSL (GOOD)
– WordFence supports the current version of OpenSSL (GOOD)
– Your PHP software does not support the current version of OpenSSL (BAD – WordFence alerted you to this, although not very clearly)

Time to Update PHP. Hope that helps!

@tombombadil69:

I understand your frustration; I also didn’t like receiving the error and having no idea how to correct it.

In this case, I believe you can’t blame a plugin for your web servers’ lack of health; it’s your choice, not theirs. You have WF installed to keep you secure – you would be furious if you paid money and it failed to alert you of a major security risk. It’s doing exactly what you paid it to do. Yes, it could have done a better job by making an actionable item (eg. “Update PHP to resolve”, etc.). But the alert is real.

It sounds like you may have on-premise hosting, or at least some private hosting somewhere. I would highly recommend moving to a hosting vendor that can handle all of this for you. You mentioned time and expense. All major hosting vendors will do OS, PHP, and OpenSSL updates for you for free and with no time spent. Side note: hosting with a vendor also happens to be far cheaper in the long term that self-hosting.

Good luck with the updates!

@greigner:
#1: To clarify – we are aware of the OpenSSL threat risk and decided to accept it for a couple of months. You may believe it or not – but yes, sometimes companies act like that.

#2: We are running WP on managed servers under CentOS5, but do not have root access there. The hoster refuses to update CentOS5 (EOL) – forcing us to pay a lot of money for a migration to CentOS7 on new hardware. So we are stuck. By the end of the year we will be able to cancel this contract and move on, but not before. So no new OpenSSL until then.

#3: We have evaluated WF before we paid the Premium subscription fee for 3 years, and it was working well, even with the old OpenSSL version (just until recently). There was no hint from the programmers that they were planning to just drop functionality for older OpenSSL versions. From one day to another, they did not simply bring up a warning only, but broke their downwards compatibility, making this a useless plugin for us (not talking about the loss of money because of the remaining months for the subscription). To me, this is not a technical matter, but a matter of *willing* of the guys behind WF (which was confirmed in another thread here).

Anyways, I probably won’t be able to change their mind, and in turn they won’t be able to spend my money in the future due to poor customer treatment. That simple.

Addendum:
What is really upsetting me is the fact that our Premium license was automatically downgraded to the free version with the ‘update’. This is because not even the license key validation passes through to the WF servers, which results in an immediate downgrade. As said, wasted money for the remaining couple of months that we have paid for.

Tom, I agree, it seems that if the plugin has worked, there’s no reason they cannot keep it working, and LET US BE RESPONSIBLE for any security “problems” related to open ssl. Seriously.

In the mean time, I’m still wondering if anyone knows if the open ssl within PHP can be updated without updating the PHP itself.

Sorry, I just saw the PD3 answer above. guess I missed this one in the email notify.

It’s dead simple for someone to just say “Time to Update PHP.” But updating PHP isn’t the same as updating wordpress. It’s not a trivial thing, and there are many reasons why people can’t or prefer not to update it.

There’s really no reason they can’t continue to support what has been working for many of us until now.

It’s also pretty inexcusable for WF to take the money and downgrade to the free version without warning.

I hadn’t seen any posts about this specific issue causing Premium WF to downgrade to Free WF without any notice. I understand now why your level of frustration is higher; if that’s what they are doing, there’s definitely a better way they can handle that for their paying customers.

All the same, please update your technology environments as soon as you are possibly able to. You’re not only protecting yourselves, but all of us in the community. This expectation that software from 2010 will work alongside software from 2018 isn’t correct.

The fix for this issue is above, as well as in a few other posts on this forum. If you have any further questions or technical details for those needing more assistance, post below. Thanks everyone!

@scottl31 On your update Question: For CentOS5, I found several descriptions on how to do a stand-alone updates of OpenSSL (which are unfortunately all useless to me due to missing root access to our managed servers, see above). I would definitely give it a try and ask Google if there is something similar for your specific environment.

@greigner: When entering a valid key and click the ‘Install license’ button, just a window with the following error is showing up:

“Your options have been saved. However we tried to verify your API key with the Wordfence servers and received an error: There was an error connecting to the Wordfence scanning servers: cURL error 35: Unknown SSL protocol error in connection to noc1.wordfence.com:443”

If there was a way to update our servers, I would have gone it months ago already …

• This reply was modified 6 years, 10 months ago by tombombadil69.