Notice to BlueOnyx 5106R users
Important notice to all BlueOnyx 5106R users.
Dear loyal BlueOnyx users,
As you all know, BlueOnyx 5106R is our oldest BlueOnyx version. It was released on 31st December 2008 and if our tally isn't too far off, then almost 20.000 servers have once been powered by it. In its time BlueOnyx 5106R has seen a lot of changes and modifications. Many to the better - or so we at least hope.
But the time has come where you really should consider to move on to more modern BlueOnyx versions in the near future. Such as BlueOnyx 5207R, 5208R or 5209R.
As you might recall: CentOS 5 is still supported by CentOS until 31st of March 2017. But the sad reality is: The usefulness of CentOS 5 has come to an end.
The recent Logjam vulnerability and the subsequent OpenSSL updates made this painfully clear.
We did our best to modify BlueOnyx to deal with this issues. And we did so with resounding success on 5107R, 5108R, 5207R, 5208R and 5209R. But 5106R? Not so much.
The problem that 5106R still has are entirely OS related. The underlying OpenSSL is simply too old. It only supports SSLv3 and TLSv1.0 as "secure" protocols. SSLv3? Forget it. We turned it off, because it is not considered secure anymore.
But the problem goes deeper: A server without TLSv1.2 will noawadays fail PCI complicance tests. Additionally security auditing tools and sites such as SSLlabs.com (which we highly recommend!) will automatically downgrade your SSL rating to a "C" rating if the webserver does not support TLSv1.2. The Apache 2.2 and the ancient OpenSSL on CentOS5 don't allow TLSv1.1 or TLSv1.2. At least not in their current constellation.
Furthermore: The ancient Apache 2.2 on CentOS5 also doesn't have provisions to allow strong Diffie Hellman parameters, which gets another downgrade of the rating as far as SSLlabs.com is concerned.
Lastly: Only a very limited number of strong crypto ciphers are supported by the ancient OpenSSL on CentOS5. This does not allow us to use Perfect Forwarding Secrecy with some common reference browsers.
And sadly: This doesn't affect just HTTPS, but all SSL enabled services, which (on CentOS5) suffer from subpar protocols and ciphers.
None of this is fixable by us without a tremendous effort. Like substituting the ancient OpenSSL with a 2nd (and modern) OpenSSL that's installed in a non-conflicting location. And then compile all network facing daemons against it. Plus replacing the ancient Apache 2.2 with a modern Apache 2.4.
Doing any of that would not be worth the effort.
So please consider migrating to a newer BlueOnyx version in the near future.
A guide about how this can be done can be found here.
For what it's worth: www.blueonyx.it now runs on a BlueOnyx 5209R as well. We made that transition today and the speed up in page loading time is quite noticeable. We will phase out our own remaining 5106R servers (except for the build boxes needed to build updates) within the next couple of days.
If you still run BlueOnyx 5106R servers, then please consider to migrate in the near future as well.
As always: If you have any questions or need assistance during that process, then please ask for advice and help on the BlueOnyx mailing list.