Migrating away from TLS1.0

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Migrating away from TLS1.0

beaniite
Those of you that run commerce sites may know the answer to this question.

I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.

Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.

---------------------------------

Gordon Nord
Nord Consultants
Ashburn VA 20147-7148 USA
[hidden email]

---------------------------------



#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Bil Corry-3
Risk Mitigation is how you will reduce the threat that someone will exploit
the TLS 1.0 weakness - in an ideal world you would be able to say that
TLSv1.2 and TLSv1.1 are supported, so modern browsers won't use TLSv1.0,
only older clients will, but it sounds like your server doesn't support the
newer TLS versions.

Mitigation Plan is how you plan to remediate the issue, which in your case
would be to upgrade to a version of the OS that does support TLSv1.2.  Note
that by summer 2016, all commerce sites will no longer support TLS1.0 due
to PCI, and ironically, the new iOS will require TLSv1.2, so if you don't
support TLSv1.2, they won't connect.


- Bil

On Wed, Sep 9, 2015 at 11:24 PM, Gordon Nord <[hidden email]> wrote:

> Those of you that run commerce sites may know the answer to this question.
>
> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
> authorize.net <http://authorize.net/> net which uses Trustwave to check
> up on PCI compliance. I am good on every question except my system still
> supports TLS1.0. That is the point of failure. I am not sure where to go
> from here because I am dependent on Apple to update the system which is
> currently up to date security wise.
>
> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI
> DSS 3.1 that will hold them off until June 2016. If anyone out there has
> done this we are happy to reimburse you for your time and expertise.
>
> ---------------------------------
>
> Gordon Nord
> Nord Consultants
> Ashburn VA 20147-7148 USA
> [hidden email]
>
> ---------------------------------
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Trevor Borgmeier
In reply to this post by beaniite
We have been maintaining PCI compliance with an old Mac Pro limited to
Snow Leopard.  But, we've replaced just about every OS X included
software in the stack with version compiled from source ... apache, php,
openssl, openssh, pureftpd, curl, ... basically everything.

Depending on your situation, it may be better to consider migrating to
another machine and OS.  Lasso runs on CentOS and then you'll get the
benefit of package managers, etc. which should make it much easier to
maintain.  Compiling from source isn't so bad once you've done it, but
some packages can be quite challenging depending on their needs,
dependencies etc.  Given our hardware doesn't support OS's greater than
snow leopard meant we were also limited to a max version of X Code
making it difficult to install certain software from source.

Once you've went through it and got everything compiled, etc everything
in place, and using the necessary updated dependencies then maintaining
PCI compliance isn't so bad, but getting there will take a good amount
of effort and likely won't be too pleasant to do on a live/active
production server.  All in all, I'd recommend investing in migrating to
a linux distro if possible. Like compiling everything from source, it
may mean a learning curve for you, but it may save you more time in the
long run...

-Trevor



On 9/9/15 4:24 PM, Gordon Nord wrote:

> Those of you that run commerce sites may know the answer to this question.
>
> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>
> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>
> ---------------------------------
>
> Gordon Nord
> Nord Consultants
> Ashburn VA 20147-7148 USA
> [hidden email]
>
> ---------------------------------
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>    the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


ɹǝıǝɯƃɹoq ɹoʌǝɹʇ


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Bil Corry-3
Another thought, give CloudFlare a try - they offer a free option, so it
won't cost anything to give it a try.  They'll be the front end SSL for
your site, and my assumption is the PCI scan will pass since it will scan
them and not you.

https://www.cloudflare.com/plans


- Bil

On Thu, Sep 10, 2015 at 1:38 AM, Trevor Borgmeier <[hidden email]> wrote:

> We have been maintaining PCI compliance with an old Mac Pro limited to
> Snow Leopard.  But, we've replaced just about every OS X included software
> in the stack with version compiled from source ... apache, php, openssl,
> openssh, pureftpd, curl, ... basically everything.
>
> Depending on your situation, it may be better to consider migrating to
> another machine and OS.  Lasso runs on CentOS and then you'll get the
> benefit of package managers, etc. which should make it much easier to
> maintain.  Compiling from source isn't so bad once you've done it, but some
> packages can be quite challenging depending on their needs, dependencies
> etc.  Given our hardware doesn't support OS's greater than snow leopard
> meant we were also limited to a max version of X Code making it difficult
> to install certain software from source.
>
> Once you've went through it and got everything compiled, etc everything in
> place, and using the necessary updated dependencies then maintaining PCI
> compliance isn't so bad, but getting there will take a good amount of
> effort and likely won't be too pleasant to do on a live/active production
> server.  All in all, I'd recommend investing in migrating to a linux distro
> if possible. Like compiling everything from source, it may mean a learning
> curve for you, but it may save you more time in the long run...
>
> -Trevor
>
>
>
>
> On 9/9/15 4:24 PM, Gordon Nord wrote:
>
>> Those of you that run commerce sites may know the answer to this question.
>>
>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
>> authorize.net <http://authorize.net/> net which uses Trustwave to check
>> up on PCI compliance. I am good on every question except my system still
>> supports TLS1.0. That is the point of failure. I am not sure where to go
>> from here because I am dependent on Apple to update the system which is
>> currently up to date security wise.
>>
>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for
>> PCI DSS 3.1 that will hold them off until June 2016. If anyone out there
>> has done this we are happy to reimburse you for your time and expertise.
>>
>> ---------------------------------
>>
>> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>> [hidden email]
>>
>> ---------------------------------
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>    the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

stevepiercy
In reply to this post by beaniite
TL;DR; You need to upgrade your server, or migrate to a
compliant one, ahead of the June 30, 2016 deadline set by PCI
DSS.  Not doing so means that your ecommerce site will no longer
work in less than 1 year, while you currently fail PCI scans.

Personally, I wouldn't waste time with a Risk Mitigation and
Migration Plan for PCI DSS 3.1, when upgrading or migrating
would solve both the technical and policy issues.  Two birds,
one stone.

I recently went through this with a couple of my clients.  We
made the decision to turn off SSL and TLSv1.0 on those servers
now by upgrading.  The reasons have already been cited by
others, but if you need official PCI documentation, here ya go:
https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf

The benefits of using the latest available version of OpenSSL
far outweigh the loss of allowing older web browsers (including
Safari 6.x on Mac OS X 10.8.5) to connect to our websites.  This
customer-facing issue should be addressed, too.
https://discussions.apple.com/thread/5128209?start=0&tstart=0
https://en.wikipedia.org/wiki/Transport_Layer_Security#cite_ref-note-g_176-0

AuthorizeNet is actively disabling TLSv1.0, first in its
sandbox, then in its production servers, "ahead of the June 30,
2016 deadline set by PCI DSS".
http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Authorize-Net-begins-TLS-1-0-Remediation-for-PCI-DSS-compliance/ba-p/51326

Unfortunately, it appears that you cannot just turn off SSL and
TLSv1.0 on your server because it does not support any later
version of TLS.  I run Mac OS X 10.8.5 on one of my machines,
and here's the command to test and its output.

     $ openssl ciphers -v
     DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  
Enc=AES(256)  Mac=SHA1
     ...
     EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  
Enc=RC4(40)   Mac=MD5  export

There are no TLSv1.2 ciphers on Mac OS X 10.8.5, and it looks
like it supports only up to SSLv3/TLSv1.0 (the output treats
SSLv3 and TLSv1.0 as equivalent).  My interpretation might not
be 100% correct, so verify this statement.

Regarding CloudFlare, I don't know whether its use would satisfy
PCI requirements when your server needs to connect to
AuthorizeNet for transactions.

I see two viable options:

(1)  You could upgrade the Mac OS X version on your server.

(2)  You could build your own versions of openssl, mod_ssl, and
Apache, but in that case you might as well go full Linux and
free yourself from the shackles of Apple and its Mac OS X for
servers.  I've helped several clients make this transition, away
from the comfort of the Mac OS X GUI to becoming command-line
Linux monkeys.

--steve


On 9/9/15 at 5:24 PM, [hidden email] (Gordon Nord) pronounced:

>Those of you that run commerce sites may know the answer to this question.
>
>I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and
>using authorize.net <http://authorize.net/> net which uses
>Trustwave to check up on PCI compliance. I am good on every
>question except my system still supports TLS1.0. That is the
>point of failure. I am not sure where to go from here because I
>am dependent on Apple to update the system which is currently
>up to date security wise.
>
>Trustwave asks us to fill out a Risk Mitigation and Migration
>Plan for PCI DSS 3.1 that will hold them off until June 2016.
>If anyone out there has done this we are happy to reimburse you
>for your time and expertise.
>
>---------------------------------
>
>Gordon Nord
>Nord Consultants
>Ashburn VA 20147-7148 USA
>[hidden email]
>
>---------------------------------
>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy              Website Builder              Soquel, CA
<[hidden email]>               <http://www.StevePiercy.com/>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

maxwellk2
In reply to this post by Trevor Borgmeier
+1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.

It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:

        http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/

HTH,
Max


> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>
> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>
> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>
> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>
> -Trevor
>
>
>
> On 9/9/15 4:24 PM, Gordon Nord wrote:
>> Those of you that run commerce sites may know the answer to this question.
>>
>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>
>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>
>> ---------------------------------
>>
>> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>> [hidden email]
>>
>> ---------------------------------
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>   the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Steffan A. Cline
Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.

I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.

Thanks,
Steffan Cline
[hidden email]
602-793-0014

> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>
> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>
> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>
>    http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>
> HTH,
> Max
>
>
>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>
>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>
>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>
>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>
>> -Trevor
>>
>>
>>
>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>> Those of you that run commerce sites may know the answer to this question.
>>>
>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>
>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>
>>> ---------------------------------
>>>
>>> Gordon Nord
>>> Nord Consultants
>>> Ashburn VA 20147-7148 USA
>>> [hidden email]
>>>
>>> ---------------------------------
>>>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>>  the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
+1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.

It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:

        http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/

HTH,
Max


> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>
> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>
> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>
> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>
> -Trevor
>
>
>
> On 9/9/15 4:24 PM, Gordon Nord wrote:
>> Those of you that run commerce sites may know the answer to this question.
>>
>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>
>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>
>> ---------------------------------
>>
>> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>> [hidden email]
>>
>> ---------------------------------
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>   the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Mike Ealy-2
This has been a very convincing thread. I've been resisting the move from
Mac OS some time now, but I think it's time to get serious. Can you suggest
any other sources of required reading to help make the transition to CentOS
easier for a longtime Mac guy with a little command line knowledge?

Thanks,
Mike Ealy


> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>
> I've been using CentOS withe EPEL and Remi repos for some time now after
> moving from OS X and have ZERO regrets.
>
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>> trained. It was hard to let go and make the leap to Linux, but when Apple
>> pulled the plug on the Xserve it was clear they’d become a fully
>> consumer-centric operation - and who could blame them. Now that I’m past the
>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have
>> an OS that’s more suited to running web servers, and doesn’t constantly
>> insist on installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are more complete articles out there on
>> PCI/Linux security, but this was a helpful and encouraging article from Chris
>> Wik as I made the transition:
>>
>>    
>>
http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site>>
/

>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow
>>> Leopard.  But, we've replaced just about every OS X included software in the
>>> stack with version compiled from source ... apache, php, openssl, openssh,
>>> pureftpd, curl, ... basically everything.
>>>
>>> Depending on your situation, it may be better to consider migrating to
>>> another machine and OS.  Lasso runs on CentOS and then you'll get the
>>> benefit of package managers, etc. which should make it much easier to
>>> maintain.  Compiling from source isn't so bad once you've done it, but some
>>> packages can be quite challenging depending on their needs, dependencies
>>> etc.  Given our hardware doesn't support OS's greater than snow leopard
>>> meant we were also limited to a max version of X Code making it difficult to
>>> install certain software from source.
>>>
>>> Once you've went through it and got everything compiled, etc everything in
>>> place, and using the necessary updated dependencies then maintaining PCI
>>> compliance isn't so bad, but getting there will take a good amount of effort
>>> and likely won't be too pleasant to do on a live/active production server.
>>> All in all, I'd recommend investing in migrating to a linux distro if
>>> possible. Like compiling everything from source, it may mean a learning
>>> curve for you, but it may save you more time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
>>>> authorize.net <http://authorize.net/> net which uses Trustwave to check up
>>>> on PCI compliance. I am good on every question except my system still
>>>> supports TLS1.0. That is the point of failure. I am not sure where to go
>>>> from here because I am dependent on Apple to update the system which is
>>>> currently up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI
>>>> DSS 3.1 that will hold them off until June 2016. If anyone out there has
>>>> done this we are happy to reimburse you for your time and expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>>  the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
> trained. It was hard to let go and make the leap to Linux, but when Apple
> pulled the plug on the Xserve it was clear they’d become a fully
> consumer-centric operation - and who could blame them. Now that I’m past the
> steeper parts of the learning curve with Linux/CentOS I’m very glad to have an
> OS that’s more suited to running web servers, and doesn’t constantly insist on
> installing iTunes and the latest OS.

It may be a little dated, and there are
> more complete articles out there on PCI/Linux security, but this was a helpful
> and encouraging article from Chris Wik as I made the
> transition:

 http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-
> a-secure-site/

HTH,
Max


> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier
> <[hidden email]> wrote:
>
> We have been maintaining PCI compliance with
> an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every
> OS X included software in the stack with version compiled from source ...
> apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>
>
> Depending on your situation, it may be better to consider migrating to another
> machine and OS.  Lasso runs on CentOS and then you'll get the benefit of
> package managers, etc. which should make it much easier to maintain.
> Compiling from source isn't so bad once you've done it, but some packages can
> be quite challenging depending on their needs, dependencies etc.  Given our
> hardware doesn't support OS's greater than snow leopard meant we were also
> limited to a max version of X Code making it difficult to install certain
> software from source.
>
> Once you've went through it and got everything
> compiled, etc everything in place, and using the necessary updated
> dependencies then maintaining PCI compliance isn't so bad, but getting there
> will take a good amount of effort and likely won't be too pleasant to do on a
> live/active production server.  All in all, I'd recommend investing in
> migrating to a linux distro if possible. Like compiling everything from
> source, it may mean a learning curve for you, but it may save you more time in
> the long run...
>
> -Trevor
>
>
>
> On 9/9/15 4:24 PM, Gordon Nord
> wrote:
>> Those of you that run commerce sites may know the answer to this
> question.
>>
>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and
> using authorize.net <http://authorize.net/> net which uses Trustwave to check
> up on PCI compliance. I am good on every question except my system still
> supports TLS1.0. That is the point of failure. I am not sure where to go from
> here because I am dependent on Apple to update the system which is currently
> up to date security wise.
>>
>> Trustwave asks us to fill out a Risk
> Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until
> June 2016. If anyone out there has done this we are happy to reimburse you for
> your time and expertise.
>>
>> ---------------------------------
>>
>>
> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>>
> [hidden email]
>>
>> ---------------------------------
>>
>>
>>
>>
> #############################################################
>>
>> This
> message is sent to you because you are subscribed to
>>   the mailing list
> Lasso [hidden email]
>> Official list archives available at
> http://www.lassotalk.com
>> To unsubscribe, E-mail to:
> <[hidden email]>
>> Send administrative queries to
> <[hidden email]>
>>
>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
>
>
> #############################################################
>
> This
> message is sent to you because you are subscribed to
> the mailing list Lasso
> [hidden email]
> Official list archives available at
> http://www.lassotalk.com
> To unsubscribe, E-mail to:
> <[hidden email]>
> Send administrative queries to
> <[hidden email]>


########################################
> #####################

This message is sent to you because you are subscribed
> to
  the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>

#########################################
> ####################

This message is sent to you because you are subscribed
> to
  the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>



#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Lia Wallans
Hey everyone,

I, also, would recommend Linux - but I’m a die-hard linux fan girl. Mike, if you’re looking for required reading, I’d start with the CentOS wiki - (https://wiki.centos.org/). They have a decent amount of user-friendly documentation in it, and general help as well.

The best way to learn to administer linux is to try it! Luckily, it works on just about anything you feel like putting it on, so if you want to learn the absolute basics, throw together a Ubuntu desktop VM - it’ll get you started, learning the CLI and the general commands is one of those things that comes better with practice.

Google, actually, is also your friend with Linux. If you’re trying to set things up and run into problems, chances are someone else, somewhere else, has had that same problem, and asked a question on a forum. 

The folks on the list here are pretty helpful as well, I’m sure they’d be happy to help as they can.

Good luck, and happy coding!

-- 
Lia Wallans
LassoSoft Technical Support

On September 10, 2015 at 3:19:22 PM, Mike Ealy ([hidden email]) wrote:

This has been a very convincing thread. I've been resisting the move from
Mac OS some time now, but I think it's time to get serious. Can you suggest
any other sources of required reading to help make the transition to CentOS
easier for a longtime Mac guy with a little command line knowledge?

Thanks,
Mike Ealy


> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>  
> I've been using CentOS withe EPEL and Remi repos for some time now after
> moving from OS X and have ZERO regrets.
>  
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>  
>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>  
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>> trained. It was hard to let go and make the leap to Linux, but when Apple
>> pulled the plug on the Xserve it was clear they’d become a fully
>> consumer-centric operation - and who could blame them. Now that I’m past the
>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have
>> an OS that’s more suited to running web servers, and doesn’t constantly
>> insist on installing iTunes and the latest OS.
>>  
>> It may be a little dated, and there are more complete articles out there on
>> PCI/Linux security, but this was a helpful and encouraging article from Chris
>> Wik as I made the transition:
>>  
>>  
>>  
http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site>>
/

>>  
>> HTH,
>> Max
>>  
>>  
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>  
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow
>>> Leopard. But, we've replaced just about every OS X included software in the
>>> stack with version compiled from source ... apache, php, openssl, openssh,
>>> pureftpd, curl, ... basically everything.
>>>  
>>> Depending on your situation, it may be better to consider migrating to
>>> another machine and OS. Lasso runs on CentOS and then you'll get the
>>> benefit of package managers, etc. which should make it much easier to
>>> maintain. Compiling from source isn't so bad once you've done it, but some
>>> packages can be quite challenging depending on their needs, dependencies
>>> etc. Given our hardware doesn't support OS's greater than snow leopard
>>> meant we were also limited to a max version of X Code making it difficult to
>>> install certain software from source.
>>>  
>>> Once you've went through it and got everything compiled, etc everything in
>>> place, and using the necessary updated dependencies then maintaining PCI
>>> compliance isn't so bad, but getting there will take a good amount of effort
>>> and likely won't be too pleasant to do on a live/active production server.
>>> All in all, I'd recommend investing in migrating to a linux distro if
>>> possible. Like compiling everything from source, it may mean a learning
>>> curve for you, but it may save you more time in the long run...
>>>  
>>> -Trevor
>>>  
>>>  
>>>  
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>  
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
>>>> authorize.net <http://authorize.net/> net which uses Trustwave to check up
>>>> on PCI compliance. I am good on every question except my system still
>>>> supports TLS1.0. That is the point of failure. I am not sure where to go
>>>> from here because I am dependent on Apple to update the system which is
>>>> currently up to date security wise.
>>>>  
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI
>>>> DSS 3.1 that will hold them off until June 2016. If anyone out there has
>>>> done this we are happy to reimburse you for your time and expertise.
>>>>  
>>>> ---------------------------------
>>>>  
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>  
>>>> ---------------------------------
>>>>  
>>>>  
>>>>  
>>>> #############################################################
>>>>  
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to <[hidden email]>
>>>>  
>>>  
>>>  
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>  
>>>  
>>> #############################################################
>>>  
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to <[hidden email]>
>>  
>>  
>> #############################################################
>>  
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to <[hidden email]>
> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
> trained. It was hard to let go and make the leap to Linux, but when Apple
> pulled the plug on the Xserve it was clear they’d become a fully
> consumer-centric operation - and who could blame them. Now that I’m past the
> steeper parts of the learning curve with Linux/CentOS I’m very glad to have an
> OS that’s more suited to running web servers, and doesn’t constantly insist on
> installing iTunes and the latest OS.

It may be a little dated, and there are
> more complete articles out there on PCI/Linux security, but this was a helpful
> and encouraging article from Chris Wik as I made the
> transition:

http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-
> a-secure-site/

HTH,
Max


> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier
> <[hidden email]> wrote:
>  
> We have been maintaining PCI compliance with
> an old Mac Pro limited to Snow Leopard. But, we've replaced just about every
> OS X included software in the stack with version compiled from source ...
> apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>  
>
> Depending on your situation, it may be better to consider migrating to another
> machine and OS. Lasso runs on CentOS and then you'll get the benefit of
> package managers, etc. which should make it much easier to maintain.
> Compiling from source isn't so bad once you've done it, but some packages can
> be quite challenging depending on their needs, dependencies etc. Given our
> hardware doesn't support OS's greater than snow leopard meant we were also
> limited to a max version of X Code making it difficult to install certain
> software from source.
>  
> Once you've went through it and got everything
> compiled, etc everything in place, and using the necessary updated
> dependencies then maintaining PCI compliance isn't so bad, but getting there
> will take a good amount of effort and likely won't be too pleasant to do on a
> live/active production server. All in all, I'd recommend investing in
> migrating to a linux distro if possible. Like compiling everything from
> source, it may mean a learning curve for you, but it may save you more time in
> the long run...
>  
> -Trevor
>  
>  
>  
> On 9/9/15 4:24 PM, Gordon Nord
> wrote:
>> Those of you that run commerce sites may know the answer to this
> question.
>>  
>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and
> using authorize.net <http://authorize.net/> net which uses Trustwave to check
> up on PCI compliance. I am good on every question except my system still
> supports TLS1.0. That is the point of failure. I am not sure where to go from
> here because I am dependent on Apple to update the system which is currently
> up to date security wise.
>>  
>> Trustwave asks us to fill out a Risk
> Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until
> June 2016. If anyone out there has done this we are happy to reimburse you for
> your time and expertise.
>>  
>> ---------------------------------
>>  
>>
> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>>
> [hidden email]
>>  
>> ---------------------------------
>>  
>>  
>>  
>>
> #############################################################
>>  
>> This
> message is sent to you because you are subscribed to
>> the mailing list
> Lasso [hidden email]
>> Official list archives available at
> http://www.lassotalk.com
>> To unsubscribe, E-mail to:
> <[hidden email]>
>> Send administrative queries to
> <[hidden email]>
>>  
>  
>  
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>  
>  
>
> #############################################################
>  
> This
> message is sent to you because you are subscribed to
> the mailing list Lasso
> [hidden email]
> Official list archives available at
> http://www.lassotalk.com
> To unsubscribe, E-mail to:
> <[hidden email]>
> Send administrative queries to
> <[hidden email]>


########################################
> #####################

This message is sent to you because you are subscribed
> to
the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>

#########################################
> ####################

This message is sent to you because you are subscribed
> to
the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>



#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Steffan A. Cline
In reply to this post by Mike Ealy-2
I, like a few other people here, use Virtualmin for administering CentOS. I can do most things via CLI but also have days where I want a simple web solution that requires little to no thought. For example depending on what features you need, it will create the DNS, mail, FTP/Mail users, web analytics, mailman, SVN, Apache configs and many other features if needed all at once. Best part? It's FREE for the basic version which has a TON of features. If you need the pro stuff, it's far cheaper than the completion. It has a MASSIVE user base too. You can literally administer the server 100% without CLI with it.

Since you're not heavily CLI experienced, this is a great deal for you. You should consider it a viable option, in my opinion.

Thanks,
Steffan Cline
[hidden email]
602-793-0014

> On Sep 10, 2015, at 12:18 PM, Mike Ealy <[hidden email]> wrote:
>
> This has been a very convincing thread. I've been resisting the move from
> Mac OS some time now, but I think it's time to get serious. Can you suggest
> any other sources of required reading to help make the transition to CentOS
> easier for a longtime Mac guy with a little command line knowledge?
>
> Thanks,
> Mike Ealy
>
>
>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>
>> I've been using CentOS withe EPEL and Remi repos for some time now after
>> moving from OS X and have ZERO regrets.
>>
>> Thanks,
>> Steffan Cline
>> [hidden email]
>> 602-793-0014
>>
>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>
>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>>> trained. It was hard to let go and make the leap to Linux, but when Apple
>>> pulled the plug on the Xserve it was clear they’d become a fully
>>> consumer-centric operation - and who could blame them. Now that I’m past the
>>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have
>>> an OS that’s more suited to running web servers, and doesn’t constantly
>>> insist on installing iTunes and the latest OS.
>>>
>>> It may be a little dated, and there are more complete articles out there on
>>> PCI/Linux security, but this was a helpful and encouraging article from Chris
>>> Wik as I made the transition:
> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site>>
> /
>>>
>>> HTH,
>>> Max
>>>
>>>
>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>
>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow
>>>> Leopard.  But, we've replaced just about every OS X included software in the
>>>> stack with version compiled from source ... apache, php, openssl, openssh,
>>>> pureftpd, curl, ... basically everything.
>>>>
>>>> Depending on your situation, it may be better to consider migrating to
>>>> another machine and OS.  Lasso runs on CentOS and then you'll get the
>>>> benefit of package managers, etc. which should make it much easier to
>>>> maintain.  Compiling from source isn't so bad once you've done it, but some
>>>> packages can be quite challenging depending on their needs, dependencies
>>>> etc.  Given our hardware doesn't support OS's greater than snow leopard
>>>> meant we were also limited to a max version of X Code making it difficult to
>>>> install certain software from source.
>>>>
>>>> Once you've went through it and got everything compiled, etc everything in
>>>> place, and using the necessary updated dependencies then maintaining PCI
>>>> compliance isn't so bad, but getting there will take a good amount of effort
>>>> and likely won't be too pleasant to do on a live/active production server.
>>>> All in all, I'd recommend investing in migrating to a linux distro if
>>>> possible. Like compiling everything from source, it may mean a learning
>>>> curve for you, but it may save you more time in the long run...
>>>>
>>>> -Trevor
>>>>
>>>>
>>>>
>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>
>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
>>>>> authorize.net <http://authorize.net/> net which uses Trustwave to check up
>>>>> on PCI compliance. I am good on every question except my system still
>>>>> supports TLS1.0. That is the point of failure. I am not sure where to go
>>>>> from here because I am dependent on Apple to update the system which is
>>>>> currently up to date security wise.
>>>>>
>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI
>>>>> DSS 3.1 that will hold them off until June 2016. If anyone out there has
>>>>> done this we are happy to reimburse you for your time and expertise.
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>> Gordon Nord
>>>>> Nord Consultants
>>>>> Ashburn VA 20147-7148 USA
>>>>> [hidden email]
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>>
>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>> trained. It was hard to let go and make the leap to Linux, but when Apple
>> pulled the plug on the Xserve it was clear they’d become a fully
>> consumer-centric operation - and who could blame them. Now that I’m past the
>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have an
>> OS that’s more suited to running web servers, and doesn’t constantly insist on
>> installing iTunes and the latest OS.
>
> It may be a little dated, and there are
>> more complete articles out there on PCI/Linux security, but this was a helpful
>> and encouraging article from Chris Wik as I made the
>> transition:
>
> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-
>> a-secure-site/
>
> HTH,
> Max
>
>
>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier
>> <[hidden email]> wrote:
>>
>> We have been maintaining PCI compliance with
>> an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every
>> OS X included software in the stack with version compiled from source ...
>> apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>
>>
>> Depending on your situation, it may be better to consider migrating to another
>> machine and OS.  Lasso runs on CentOS and then you'll get the benefit of
>> package managers, etc. which should make it much easier to maintain.
>> Compiling from source isn't so bad once you've done it, but some packages can
>> be quite challenging depending on their needs, dependencies etc.  Given our
>> hardware doesn't support OS's greater than snow leopard meant we were also
>> limited to a max version of X Code making it difficult to install certain
>> software from source.
>>
>> Once you've went through it and got everything
>> compiled, etc everything in place, and using the necessary updated
>> dependencies then maintaining PCI compliance isn't so bad, but getting there
>> will take a good amount of effort and likely won't be too pleasant to do on a
>> live/active production server.  All in all, I'd recommend investing in
>> migrating to a linux distro if possible. Like compiling everything from
>> source, it may mean a learning curve for you, but it may save you more time in
>> the long run...
>>
>> -Trevor
>>
>>
>>
>> On 9/9/15 4:24 PM, Gordon Nord
>> wrote:
>>> Those of you that run commerce sites may know the answer to this
>> question.
>>>
>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and
>> using authorize.net <http://authorize.net/> net which uses Trustwave to check
>> up on PCI compliance. I am good on every question except my system still
>> supports TLS1.0. That is the point of failure. I am not sure where to go from
>> here because I am dependent on Apple to update the system which is currently
>> up to date security wise.
>>>
>>> Trustwave asks us to fill out a Risk
>> Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until
>> June 2016. If anyone out there has done this we are happy to reimburse you for
>> your time and expertise.
>>>
>>> ---------------------------------
>> Gordon Nord
>>> Nord Consultants
>>> Ashburn VA 20147-7148 USA
>> [hidden email]
>>>
>>> ---------------------------------
>> #############################################################
>>>
>>> This
>> message is sent to you because you are subscribed to
>>>  the mailing list
>> Lasso [hidden email]
>>> Official list archives available at
>> http://www.lassotalk.com
>>> To unsubscribe, E-mail to:
>> <[hidden email]>
>>> Send administrative queries to
>> <[hidden email]>
>>
>>
>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>
>>
>>
>> #############################################################
>>
>> This
>> message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> Official list archives available at
>> http://www.lassotalk.com
>> To unsubscribe, E-mail to:
>> <[hidden email]>
>> Send administrative queries to
>> <[hidden email]>
>
>
> ########################################
>> #####################
>
> This message is sent to you because you are subscribed
>> to
>  the mailing list Lasso [hidden email]
> Official list archives
>> available at http://www.lassotalk.com
> To unsubscribe, E-mail to:
>> <[hidden email]>
> Send administrative queries to
>> <[hidden email]>
>
> #########################################
>> ####################
>
> This message is sent to you because you are subscribed
>> to
>  the mailing list Lasso [hidden email]
> Official list archives
>> available at http://www.lassotalk.com
> To unsubscribe, E-mail to:
>> <[hidden email]>
> Send administrative queries to
>> <[hidden email]>
>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
This has been a very convincing thread. I've been resisting the move from
Mac OS some time now, but I think it's time to get serious. Can you suggest
any other sources of required reading to help make the transition to CentOS
easier for a longtime Mac guy with a little command line knowledge?

Thanks,
Mike Ealy


> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>
> I've been using CentOS withe EPEL and Remi repos for some time now after
> moving from OS X and have ZERO regrets.
>
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>> trained. It was hard to let go and make the leap to Linux, but when Apple
>> pulled the plug on the Xserve it was clear they’d become a fully
>> consumer-centric operation - and who could blame them. Now that I’m past the
>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have
>> an OS that’s more suited to running web servers, and doesn’t constantly
>> insist on installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are more complete articles out there on
>> PCI/Linux security, but this was a helpful and encouraging article from Chris
>> Wik as I made the transition:
>>
>>    
>>
http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site>>
/

>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow
>>> Leopard.  But, we've replaced just about every OS X included software in the
>>> stack with version compiled from source ... apache, php, openssl, openssh,
>>> pureftpd, curl, ... basically everything.
>>>
>>> Depending on your situation, it may be better to consider migrating to
>>> another machine and OS.  Lasso runs on CentOS and then you'll get the
>>> benefit of package managers, etc. which should make it much easier to
>>> maintain.  Compiling from source isn't so bad once you've done it, but some
>>> packages can be quite challenging depending on their needs, dependencies
>>> etc.  Given our hardware doesn't support OS's greater than snow leopard
>>> meant we were also limited to a max version of X Code making it difficult to
>>> install certain software from source.
>>>
>>> Once you've went through it and got everything compiled, etc everything in
>>> place, and using the necessary updated dependencies then maintaining PCI
>>> compliance isn't so bad, but getting there will take a good amount of effort
>>> and likely won't be too pleasant to do on a live/active production server.
>>> All in all, I'd recommend investing in migrating to a linux distro if
>>> possible. Like compiling everything from source, it may mean a learning
>>> curve for you, but it may save you more time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
>>>> authorize.net <http://authorize.net/> net which uses Trustwave to check up
>>>> on PCI compliance. I am good on every question except my system still
>>>> supports TLS1.0. That is the point of failure. I am not sure where to go
>>>> from here because I am dependent on Apple to update the system which is
>>>> currently up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI
>>>> DSS 3.1 that will hold them off until June 2016. If anyone out there has
>>>> done this we are happy to reimburse you for your time and expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>>  the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
> trained. It was hard to let go and make the leap to Linux, but when Apple
> pulled the plug on the Xserve it was clear they’d become a fully
> consumer-centric operation - and who could blame them. Now that I’m past the
> steeper parts of the learning curve with Linux/CentOS I’m very glad to have an
> OS that’s more suited to running web servers, and doesn’t constantly insist on
> installing iTunes and the latest OS.

It may be a little dated, and there are
> more complete articles out there on PCI/Linux security, but this was a helpful
> and encouraging article from Chris Wik as I made the
> transition:

 http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-
> a-secure-site/

HTH,
Max


> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier
> <[hidden email]> wrote:
>
> We have been maintaining PCI compliance with
> an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every
> OS X included software in the stack with version compiled from source ...
> apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>
>
> Depending on your situation, it may be better to consider migrating to another
> machine and OS.  Lasso runs on CentOS and then you'll get the benefit of
> package managers, etc. which should make it much easier to maintain.
> Compiling from source isn't so bad once you've done it, but some packages can
> be quite challenging depending on their needs, dependencies etc.  Given our
> hardware doesn't support OS's greater than snow leopard meant we were also
> limited to a max version of X Code making it difficult to install certain
> software from source.
>
> Once you've went through it and got everything
> compiled, etc everything in place, and using the necessary updated
> dependencies then maintaining PCI compliance isn't so bad, but getting there
> will take a good amount of effort and likely won't be too pleasant to do on a
> live/active production server.  All in all, I'd recommend investing in
> migrating to a linux distro if possible. Like compiling everything from
> source, it may mean a learning curve for you, but it may save you more time in
> the long run...
>
> -Trevor
>
>
>
> On 9/9/15 4:24 PM, Gordon Nord
> wrote:
>> Those of you that run commerce sites may know the answer to this
> question.
>>
>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and
> using authorize.net <http://authorize.net/> net which uses Trustwave to check
> up on PCI compliance. I am good on every question except my system still
> supports TLS1.0. That is the point of failure. I am not sure where to go from
> here because I am dependent on Apple to update the system which is currently
> up to date security wise.
>>
>> Trustwave asks us to fill out a Risk
> Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until
> June 2016. If anyone out there has done this we are happy to reimburse you for
> your time and expertise.
>>
>> ---------------------------------
>>
>>
> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>>
> [hidden email]
>>
>> ---------------------------------
>>
>>
>>
>>
> #############################################################
>>
>> This
> message is sent to you because you are subscribed to
>>   the mailing list
> Lasso [hidden email]
>> Official list archives available at
> http://www.lassotalk.com
>> To unsubscribe, E-mail to:
> <[hidden email]>
>> Send administrative queries to
> <[hidden email]>
>>
>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
>
>
> #############################################################
>
> This
> message is sent to you because you are subscribed to
> the mailing list Lasso
> [hidden email]
> Official list archives available at
> http://www.lassotalk.com
> To unsubscribe, E-mail to:
> <[hidden email]>
> Send administrative queries to
> <[hidden email]>


########################################
> #####################

This message is sent to you because you are subscribed
> to
  the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>

#########################################
> ####################

This message is sent to you because you are subscribed
> to
  the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>



#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Mike Ealy-2
Thanks, Steffan. I'll check it out.

Mike


> I, like a few other people here, use Virtualmin for administering CentOS. I
> can do most things via CLI but also have days where I want a simple web
> solution that requires little to no thought. For example depending on what
> features you need, it will create the DNS, mail, FTP/Mail users, web
> analytics, mailman, SVN, Apache configs and many other features if needed all
> at once. Best part? It's FREE for the basic version which has a TON of
> features. If you need the pro stuff, it's far cheaper than the completion. It
> has a MASSIVE user base too. You can literally administer the server 100%
> without CLI with it.
>
> Since you're not heavily CLI experienced, this is a great deal for you. You
> should consider it a viable option, in my opinion.
>
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 12:18 PM, Mike Ealy <[hidden email]> wrote:
>>
>> This has been a very convincing thread. I've been resisting the move from
>> Mac OS some time now, but I think it's time to get serious. Can you suggest
>> any other sources of required reading to help make the transition to CentOS
>> easier for a longtime Mac guy with a little command line knowledge?
>>
>> Thanks,
>> Mike Ealy
>>
>>
>>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>>
>>> I've been using CentOS withe EPEL and Remi repos for some time now after
>>> moving from OS X and have ZERO regrets.
>>>
>>> Thanks,
>>> Steffan Cline
>>> [hidden email]
>>> 602-793-0014
>>>
>>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>>
>>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>>>> trained. It was hard to let go and make the leap to Linux, but when Apple
>>>> pulled the plug on the Xserve it was clear they’d become a fully
>>>> consumer-centric operation - and who could blame them. Now that I’m past
>>>> the
>>>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have
>>>> an OS that’s more suited to running web servers, and doesn’t constantly
>>>> insist on installing iTunes and the latest OS.
>>>>
>>>> It may be a little dated, and there are more complete articles out there on
>>>> PCI/Linux security, but this was a helpful and encouraging article from
>>>> Chris
>>>> Wik as I made the transition:
>> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site
>> >>
>> /
>>>>
>>>> HTH,
>>>> Max
>>>>
>>>>
>>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>>
>>>>> We have been maintaining PCI compliance with an old Mac Pro limited to
>>>>> Snow
>>>>> Leopard.  But, we've replaced just about every OS X included software in
>>>>> the
>>>>> stack with version compiled from source ... apache, php, openssl, openssh,
>>>>> pureftpd, curl, ... basically everything.
>>>>>
>>>>> Depending on your situation, it may be better to consider migrating to
>>>>> another machine and OS.  Lasso runs on CentOS and then you'll get the
>>>>> benefit of package managers, etc. which should make it much easier to
>>>>> maintain.  Compiling from source isn't so bad once you've done it, but
>>>>> some
>>>>> packages can be quite challenging depending on their needs, dependencies
>>>>> etc.  Given our hardware doesn't support OS's greater than snow leopard
>>>>> meant we were also limited to a max version of X Code making it difficult
>>>>> to
>>>>> install certain software from source.
>>>>>
>>>>> Once you've went through it and got everything compiled, etc everything in
>>>>> place, and using the necessary updated dependencies then maintaining PCI
>>>>> compliance isn't so bad, but getting there will take a good amount of
>>>>> effort
>>>>> and likely won't be too pleasant to do on a live/active production server.
>>>>> All in all, I'd recommend investing in migrating to a linux distro if
>>>>> possible. Like compiling everything from source, it may mean a learning
>>>>> curve for you, but it may save you more time in the long run...
>>>>>
>>>>> -Trevor
>>>>>
>>>>>
>>>>>
>>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>>> Those of you that run commerce sites may know the answer to this
>>>>>> question.
>>>>>>
>>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using
>>>>>> authorize.net <http://authorize.net/> net which uses Trustwave to check
>>>>>> up
>>>>>> on PCI compliance. I am good on every question except my system still
>>>>>> supports TLS1.0. That is the point of failure. I am not sure where to go
>>>>>> from here because I am dependent on Apple to update the system which is
>>>>>> currently up to date security wise.
>>>>>>
>>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for
>>>>>> PCI
>>>>>> DSS 3.1 that will hold them off until June 2016. If anyone out there has
>>>>>> done this we are happy to reimburse you for your time and expertise.
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>> Gordon Nord
>>>>>> Nord Consultants
>>>>>> Ashburn VA 20147-7148 USA
>>>>>> [hidden email]
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> #############################################################
>>>>>>
>>>>>> This message is sent to you because you are subscribed to
>>>>>> the mailing list Lasso [hidden email]
>>>>>> Official list archives available at http://www.lassotalk.com
>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>>
>>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve
>>> trained. It was hard to let go and make the leap to Linux, but when Apple
>>> pulled the plug on the Xserve it was clear they’d become a fully
>>> consumer-centric operation - and who could blame them. Now that I’m past the
>>> steeper parts of the learning curve with Linux/CentOS I’m very glad to have
>>> an
>>> OS that’s more suited to running web servers, and doesn’t constantly insist
>>> on
>>> installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are
>>> more complete articles out there on PCI/Linux security, but this was a
>>> helpful
>>> and encouraging article from Chris Wik as I made the
>>> transition:
>>
>> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-
>>> a-secure-site/
>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier
>>> <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with
>>> an old Mac Pro limited to Snow Leopard.  But, we've replaced just about
>>> every
>>> OS X included software in the stack with version compiled from source ...
>>> apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>
>>>
>>> Depending on your situation, it may be better to consider migrating to
>>> another
>>> machine and OS.  Lasso runs on CentOS and then you'll get the benefit of
>>> package managers, etc. which should make it much easier to maintain.
>>> Compiling from source isn't so bad once you've done it, but some packages
>>> can
>>> be quite challenging depending on their needs, dependencies etc.  Given our
>>> hardware doesn't support OS's greater than snow leopard meant we were also
>>> limited to a max version of X Code making it difficult to install certain
>>> software from source.
>>>
>>> Once you've went through it and got everything
>>> compiled, etc everything in place, and using the necessary updated
>>> dependencies then maintaining PCI compliance isn't so bad, but getting there
>>> will take a good amount of effort and likely won't be too pleasant to do on
>>> a
>>> live/active production server.  All in all, I'd recommend investing in
>>> migrating to a linux distro if possible. Like compiling everything from
>>> source, it may mean a learning curve for you, but it may save you more time
>>> in
>>> the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>> On 9/9/15 4:24 PM, Gordon Nord
>>> wrote:
>>>> Those of you that run commerce sites may know the answer to this
>>> question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and
>>> using authorize.net <http://authorize.net/> net which uses Trustwave to
>>> check
>>> up on PCI compliance. I am good on every question except my system still
>>> supports TLS1.0. That is the point of failure. I am not sure where to go
>>> from
>>> here because I am dependent on Apple to update the system which is currently
>>> up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk
>>> Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until
>>> June 2016. If anyone out there has done this we are happy to reimburse you
>>> for
>>> your time and expertise.
>>>>
>>>> ---------------------------------
>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>> [hidden email]
>>>>
>>>> ---------------------------------
>>> #############################################################
>>>>
>>>> This
>>> message is sent to you because you are subscribed to
>>>>  the mailing list
>>> Lasso [hidden email]
>>>> Official list archives available at
>>> http://www.lassotalk.com
>>>> To unsubscribe, E-mail to:
>>> <[hidden email]>
>>>> Send administrative queries to
>>> <[hidden email]>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>>
>>> #############################################################
>>>
>>> This
>>> message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> Official list archives available at
>>> http://www.lassotalk.com
>>> To unsubscribe, E-mail to:
>>> <[hidden email]>
>>> Send administrative queries to
>>> <[hidden email]>
>>
>>
>> ########################################
>>> #####################
>>
>> This message is sent to you because you are subscribed
>>> to
>>  the mailing list Lasso [hidden email]
>> Official list archives
>>> available at http://www.lassotalk.com
>> To unsubscribe, E-mail to:
>>> <[hidden email]>
>> Send administrative queries to
>>> <[hidden email]>
>>
>> #########################################
>>> ####################
>>
>> This message is sent to you because you are subscribed
>>> to
>>  the mailing list Lasso [hidden email]
>> Official list archives
>>> available at http://www.lassotalk.com
>> To unsubscribe, E-mail to:
>>> <[hidden email]>
>> Send administrative queries to
>>> <[hidden email]>
>>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> This has been a very convincing thread. I've been resisting the move fromMac
> OS some time now, but I think it's time to get serious. Can you suggest
any
> other sources of required reading to help make the transition to CentOS
easier
> for a longtime Mac guy with a little command line knowledge?

Thanks,
Mike
> Ealy


> Drink the Kool-Aid. Come to Linux. It's where all the cool kids
> are.
>
> I've been using CentOS withe EPEL and Remi repos for some time now
> after
> moving from OS X and have ZERO regrets.
>
> Thanks,
> Steffan Cline
>
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 10:48 AM, Maxwell
> Klein <[hidden email]> wrote:
>>
>> +1 on Trevor’s and Steve’s advice here
> - I’m one of the Linux monkeys Steve
>> trained. It was hard to let go and
> make the leap to Linux, but when Apple
>> pulled the plug on the Xserve it was
> clear they’d become a fully
>> consumer-centric operation - and who could
> blame them. Now that I’m past the
>> steeper parts of the learning curve with
> Linux/CentOS I’m very glad to have
>> an OS that’s more suited to running web
> servers, and doesn’t constantly
>> insist on installing iTunes and the latest
> OS.
>>
>> It may be a little dated, and there are more complete articles out
> there on
>> PCI/Linux security, but this was a helpful and encouraging article
> from Chris
>> Wik as I made the transition:
>>
>>    
>>
>
http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site
> >>
/

>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor
> Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI
> compliance with an old Mac Pro limited to Snow
>>> Leopard.  But, we've
> replaced just about every OS X included software in the
>>> stack with version
> compiled from source ... apache, php, openssl, openssh,
>>> pureftpd, curl,
> ... basically everything.
>>>
>>> Depending on your situation, it may be
> better to consider migrating to
>>> another machine and OS.  Lasso runs on
> CentOS and then you'll get the
>>> benefit of package managers, etc. which
> should make it much easier to
>>> maintain.  Compiling from source isn't so
> bad once you've done it, but some
>>> packages can be quite challenging
> depending on their needs, dependencies
>>> etc.  Given our hardware doesn't
> support OS's greater than snow leopard
>>> meant we were also limited to a max
> version of X Code making it difficult to
>>> install certain software from
> source.
>>>
>>> Once you've went through it and got everything compiled, etc
> everything in
>>> place, and using the necessary updated dependencies then
> maintaining PCI
>>> compliance isn't so bad, but getting there will take a
> good amount of effort
>>> and likely won't be too pleasant to do on a
> live/active production server.
>>> All in all, I'd recommend investing in
> migrating to a linux distro if
>>> possible. Like compiling everything from
> source, it may mean a learning
>>> curve for you, but it may save you more
> time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>>> On 9/9/15 4:24
> PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the
> answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9,
> openSSL 0.9.8zg and using
>>>> authorize.net <http://authorize.net/> net which
> uses Trustwave to check up
>>>> on PCI compliance. I am good on every question
> except my system still
>>>> supports TLS1.0. That is the point of failure. I
> am not sure where to go
>>>> from here because I am dependent on Apple to
> update the system which is
>>>> currently up to date security wise.
>>>>
>>>>
> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for
> PCI
>>>> DSS 3.1 that will hold them off until June 2016. If anyone out there
> has
>>>> done this we are happy to reimburse you for your time and
> expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon
> Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>>
> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>
>>>>
>>>> #############################################################
>>>>
>
>>>> This message is sent to you because you are subscribed to
>>>>  the
> mailing list Lasso [hidden email]
>>>> Official list archives
> available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to:
> <[hidden email]>
>>>> Send administrative queries to
> <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>
>>>
>>> #############################################################
>>>
>
>>> This message is sent to you because you are subscribed to
>>> the mailing
> list Lasso [hidden email]
>>> Official list archives available at
> http://www.lassotalk.com
>>> To unsubscribe, E-mail to:
> <[hidden email]>
>>> Send administrative queries to
> <[hidden email]>
>>
>>
>>
> #############################################################
>>
>> This
> message is sent to you because you are subscribed to
>>  the mailing list
> Lasso [hidden email]
>> Official list archives available at
> http://www.lassotalk.com
>> To unsubscribe, E-mail to:
> <[hidden email]>
>> Send administrative queries to
> <[hidden email]>
> +1 on Trevor’s and Steve’s advice here -
> I’m one of the Linux monkeys Steve
> trained. It was hard to let go and make
> the leap to Linux, but when Apple
> pulled the plug on the Xserve it was clear
> they’d become a fully
> consumer-centric operation - and who could blame them.
> Now that I’m past the
> steeper parts of the learning curve with Linux/CentOS
> I’m very glad to have an
> OS that’s more suited to running web servers, and
> doesn’t constantly insist on
> installing iTunes and the latest OS.

It may be
> a little dated, and there are
> more complete articles out there on PCI/Linux
> security, but this was a helpful
> and encouraging article from Chris Wik as I
> made the
> transition:


> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-
>
> a-secure-site/

HTH,
Max


> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier
>
> <[hidden email]> wrote:
>
> We have been maintaining PCI compliance with
>
> an old Mac Pro limited to Snow Leopard.  But, we've replaced just about
> every
> OS X included software in the stack with version compiled from source
> ...
> apache, php, openssl, openssh, pureftpd, curl, ... basically
> everything.
>
>
> Depending on your situation, it may be better to consider
> migrating to another
> machine and OS.  Lasso runs on CentOS and then you'll
> get the benefit of
> package managers, etc. which should make it much easier
> to maintain.
> Compiling from source isn't so bad once you've done it, but
> some packages can
> be quite challenging depending on their needs,
> dependencies etc.  Given our
> hardware doesn't support OS's greater than snow
> leopard meant we were also
> limited to a max version of X Code making it
> difficult to install certain
> software from source.
>
> Once you've went
> through it and got everything
> compiled, etc everything in place, and using
> the necessary updated
> dependencies then maintaining PCI compliance isn't so
> bad, but getting there
> will take a good amount of effort and likely won't be
> too pleasant to do on a
> live/active production server.  All in all, I'd
> recommend investing in
> migrating to a linux distro if possible. Like
> compiling everything from
> source, it may mean a learning curve for you, but
> it may save you more time in
> the long run...
>
> -Trevor
>
>
>
> On
> 9/9/15 4:24 PM, Gordon Nord
> wrote:
>> Those of you that run commerce sites
> may know the answer to this
> question.
>>
>> I am running Mac OS 10.8.5,
> apache 2.2.9, openSSL 0.9.8zg and
> using authorize.net
> <http://authorize.net/> net which uses Trustwave to check
> up on PCI
> compliance. I am good on every question except my system still
> supports
> TLS1.0. That is the point of failure. I am not sure where to go from
> here
> because I am dependent on Apple to update the system which is currently
> up
> to date security wise.
>>
>> Trustwave asks us to fill out a Risk
>
> Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until
>
> June 2016. If anyone out there has done this we are happy to reimburse you
> for
> your time and expertise.
>>
>> ---------------------------------
>>
>
>>
> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147-7148 USA
>>
>
> [hidden email]
>>
>> ---------------------------------
>>
>>
>>
>>
>
> #############################################################
>>
>> This
>
> message is sent to you because you are subscribed to
>>   the mailing list
>
> Lasso [hidden email]
>> Official list archives available at
>
> http://www.lassotalk.com
>> To unsubscribe, E-mail to:
>
> <[hidden email]>
>> Send administrative queries to
>
> <[hidden email]>
>>
>
>
> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>
>
>
>
> #############################################################
>
> This
>
> message is sent to you because you are subscribed to
> the mailing list
> Lasso
> [hidden email]
> Official list archives available at
>
> http://www.lassotalk.com
> To unsubscribe, E-mail to:
>
> <[hidden email]>
> Send administrative queries to
>
> <[hidden email]>


########################################
>
> #####################

This message is sent to you because you are
> subscribed
> to
  the mailing list Lasso [hidden email]
Official
> list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail
> to:
> <[hidden email]>
Send administrative queries to
>
> <[hidden email]>

#########################################
>
> ####################

This message is sent to you because you are
> subscribed
> to
  the mailing list Lasso [hidden email]
Official
> list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail
> to:
> <[hidden email]>
Send administrative queries to
>
> <[hidden email]>



#######################################
> ######################

This message is sent to you because you are subscribed
> to
  the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>

#########################################
> ####################

This message is sent to you because you are subscribed
> to
  the mailing list Lasso [hidden email]
Official list archives
> available at http://www.lassotalk.com
To unsubscribe, E-mail to:
> <[hidden email]>
Send administrative queries to
> <[hidden email]>



#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

beaniite
In reply to this post by Steffan A. Cline
Can CentOS duplicate my current setup?

My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.

Yes we have a warehouse full of science books.

And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.

All powered by lasso 8.5.6 and MySQL. Love lasso by the way.

It does a lot more,  except make coffee.
---------------------------------
Gordon Nord
Nord Consultants
Ashburn VA 20147
[hidden email]


On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:

> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>
> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>
>>   http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>
>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>
>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>
> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>
> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>
> HTH,
> Max
>
>
>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>
>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>
>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>
>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>
>> -Trevor
>>
>>
>>
>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>> Those of you that run commerce sites may know the answer to this question.
>>>
>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>
>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>
>>> ---------------------------------
>>>
>>> Gordon Nord
>>> Nord Consultants
>>> Ashburn VA 20147-7148 USA
>>> [hidden email]
>>>
>>> ---------------------------------
>>>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>>  the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Steffan A. Cline
Yes, it can do ALL that and much more and far more responsively too!

Thanks,
Steffan Cline
[hidden email]
602-793-0014

> On Sep 10, 2015, at 1:49 PM, Gordon Nord <[hidden email]> wrote:
>
> Can CentOS duplicate my current setup?
>
> My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.
>
> Yes we have a warehouse full of science books.
>
> And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.
>
> All powered by lasso 8.5.6 and MySQL. Love lasso by the way.
>
> It does a lot more,  except make coffee.
> ---------------------------------
> Gordon Nord
> Nord Consultants
> Ashburn VA 20147
> [hidden email]
>
>
>> On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:
>>
>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>
>> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>>
>> Thanks,
>> Steffan Cline
>> [hidden email]
>> 602-793-0014
>>
>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>
>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>
>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>
>>>  http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>
>>> HTH,
>>> Max
>>>
>>>
>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>
>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>
>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>
>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>
>>>> -Trevor
>>>>
>>>>
>>>>
>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>
>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>
>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>> Gordon Nord
>>>>> Nord Consultants
>>>>> Ashburn VA 20147-7148 USA
>>>>> [hidden email]
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>
>>>>
>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>
>>    http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>
>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>
>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
Can CentOS duplicate my current setup?

My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.

Yes we have a warehouse full of science books.

And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.

All powered by lasso 8.5.6 and MySQL. Love lasso by the way.

It does a lot more,  except make coffee.
---------------------------------
Gordon Nord
Nord Consultants
Ashburn VA 20147
[hidden email]


On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:

> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>
> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>
>>   http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>
>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>
>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>
> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>
> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>
> HTH,
> Max
>
>
>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>
>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>
>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>
>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>
>> -Trevor
>>
>>
>>
>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>> Those of you that run commerce sites may know the answer to this question.
>>>
>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>
>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>
>>> ---------------------------------
>>>
>>> Gordon Nord
>>> Nord Consultants
>>> Ashburn VA 20147-7148 USA
>>> [hidden email]
>>>
>>> ---------------------------------
>>>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>>  the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

beaniite
I suppose it could run on the MacPro as well.

Gordon
---------------------------------
Gordon Nord
Nord Consultants
Ashburn VA 20147
[hidden email]


On Sep 10, 2015, at 4:51 PM, [hidden email] wrote:

> Yes, it can do ALL that and much more and far more responsively too!
>
> Thanks,
> Steffan Cline
> [hidden email]
> 602-793-0014
>
>> On Sep 10, 2015, at 1:49 PM, Gordon Nord <[hidden email]> wrote:
>>
>> Can CentOS duplicate my current setup?
>>
>> My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.
>>
>> Yes we have a warehouse full of science books.
>>
>> And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.
>>
>> All powered by lasso 8.5.6 and MySQL. Love lasso by the way.
>>
>> It does a lot more,  except make coffee.
>> ---------------------------------
>> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147
>> [hidden email]
>>
>>
>>> On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:
>>>
>>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>>
>>> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>>>
>>> Thanks,
>>> Steffan Cline
>>> [hidden email]
>>> 602-793-0014
>>>
>>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>>
>>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>>
>>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>>
>>>> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>>
>>>> HTH,
>>>> Max
>>>>
>>>>
>>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>>
>>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>>
>>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>>
>>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>>
>>>>> -Trevor
>>>>>
>>>>>
>>>>>
>>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>>
>>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>>
>>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>> Gordon Nord
>>>>>> Nord Consultants
>>>>>> Ashburn VA 20147-7148 USA
>>>>>> [hidden email]
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> #############################################################
>>>>>>
>>>>>> This message is sent to you because you are subscribed to
>>>>>> the mailing list Lasso [hidden email]
>>>>>> Official list archives available at http://www.lassotalk.com
>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>> Send administrative queries to  <[hidden email]>
>>>>>>
>>>>>
>>>>>
>>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>
>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>
>>>   http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>
>>> HTH,
>>> Max
>>>
>>>
>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>
>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>
>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>
>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>
>>>> -Trevor
>>>>
>>>>
>>>>
>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>
>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>
>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>> Gordon Nord
>>>>> Nord Consultants
>>>>> Ashburn VA 20147-7148 USA
>>>>> [hidden email]
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>
>>>>
>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> Can CentOS duplicate my current setup?
>
> My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.
>
> Yes we have a warehouse full of science books.
>
> And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.
>
> All powered by lasso 8.5.6 and MySQL. Love lasso by the way.
>
> It does a lot more,  except make coffee.
> ---------------------------------
> Gordon Nord
> Nord Consultants
> Ashburn VA 20147
> [hidden email]
>
>
> On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:
>
>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>
>> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>>
>> Thanks,
>> Steffan Cline
>> [hidden email]
>> 602-793-0014
>>
>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>
>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>
>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>
>>>  http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>
>>> HTH,
>>> Max
>>>
>>>
>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>
>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>
>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>
>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>
>>>> -Trevor
>>>>
>>>>
>>>>
>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>
>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>
>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>> Gordon Nord
>>>>> Nord Consultants
>>>>> Ashburn VA 20147-7148 USA
>>>>> [hidden email]
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>
>>>>
>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>
>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>
>> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>
>> HTH,
>> Max
>>
>>
>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>
>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>
>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>
>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>
>>> -Trevor
>>>
>>>
>>>
>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>> Those of you that run commerce sites may know the answer to this question.
>>>>
>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>
>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>
>>>> ---------------------------------
>>>>
>>>> Gordon Nord
>>>> Nord Consultants
>>>> Ashburn VA 20147-7148 USA
>>>> [hidden email]
>>>>
>>>> ---------------------------------
>>>>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Migrating away from TLS1.0

Steffan A. Cline
https://www.centos.org/forums/viewtopic.php?f=47&t=49674


Thanks,
Steffan Cline
[hidden email]
602-793–0014








On 9/10/15, 2:01 PM, "Gordon Nord" <[hidden email] on behalf of [hidden email]> wrote:

>I suppose it could run on the MacPro as well.
>
>Gordon
>---------------------------------
>Gordon Nord
>Nord Consultants
>Ashburn VA 20147
>[hidden email]
>
>
>On Sep 10, 2015, at 4:51 PM, [hidden email] wrote:
>
>> Yes, it can do ALL that and much more and far more responsively too!
>>
>> Thanks,
>> Steffan Cline
>> [hidden email]
>> 602-793-0014
>>
>>> On Sep 10, 2015, at 1:49 PM, Gordon Nord <[hidden email]> wrote:
>>>
>>> Can CentOS duplicate my current setup?
>>>
>>> My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.
>>>
>>> Yes we have a warehouse full of science books.
>>>
>>> And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.
>>>
>>> All powered by lasso 8.5.6 and MySQL. Love lasso by the way.
>>>
>>> It does a lot more,  except make coffee.
>>> ---------------------------------
>>> Gordon Nord
>>> Nord Consultants
>>> Ashburn VA 20147
>>> [hidden email]
>>>
>>>
>>>> On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:
>>>>
>>>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>>>
>>>> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>>>>
>>>> Thanks,
>>>> Steffan Cline
>>>> [hidden email]
>>>> 602-793-0014
>>>>
>>>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>>>
>>>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>>>
>>>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>>>
>>>>> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>>>
>>>>> HTH,
>>>>> Max
>>>>>
>>>>>
>>>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>>>
>>>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>>>
>>>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>>>
>>>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>>>
>>>>>> -Trevor
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>>>
>>>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>>>
>>>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>>>
>>>>>>> ---------------------------------
>>>>>>>
>>>>>>> Gordon Nord
>>>>>>> Nord Consultants
>>>>>>> Ashburn VA 20147-7148 USA
>>>>>>> [hidden email]
>>>>>>>
>>>>>>> ---------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> #############################################################
>>>>>>>
>>>>>>> This message is sent to you because you are subscribed to
>>>>>>> the mailing list Lasso [hidden email]
>>>>>>> Official list archives available at http://www.lassotalk.com
>>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>>> Send administrative queries to  <[hidden email]>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>>>
>>>>>>
>>>>>> #############################################################
>>>>>>
>>>>>> This message is sent to you because you are subscribed to
>>>>>> the mailing list Lasso [hidden email]
>>>>>> Official list archives available at http://www.lassotalk.com
>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>>
>>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>>
>>>>   http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>>
>>>> HTH,
>>>> Max
>>>>
>>>>
>>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>>
>>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>>
>>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>>
>>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>>
>>>>> -Trevor
>>>>>
>>>>>
>>>>>
>>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>>
>>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>>
>>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>> Gordon Nord
>>>>>> Nord Consultants
>>>>>> Ashburn VA 20147-7148 USA
>>>>>> [hidden email]
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> #############################################################
>>>>>>
>>>>>> This message is sent to you because you are subscribed to
>>>>>> the mailing list Lasso [hidden email]
>>>>>> Official list archives available at http://www.lassotalk.com
>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>> Send administrative queries to  <[hidden email]>
>>>>>>
>>>>>
>>>>>
>>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>> Can CentOS duplicate my current setup?
>>
>> My current setup on a MacPro has four multi honed IPs each serving different society ecommerce sites and each with their own certificates. As well as two dymo label printers setup in CUPS, one for address labels and one for shipping labels.
>>
>> Yes we have a warehouse full of science books.
>>
>> And we use Steffan’s wonderful ExecuChoice_Tags to print pdfs from html for invoices, receipts and a variety of other pieces of paper containing customer information.
>>
>> All powered by lasso 8.5.6 and MySQL. Love lasso by the way.
>>
>> It does a lot more,  except make coffee.
>> ---------------------------------
>> Gordon Nord
>> Nord Consultants
>> Ashburn VA 20147
>> [hidden email]
>>
>>
>> On Sep 10, 2015, at 2:30 PM, [hidden email] wrote:
>>
>>> Drink the Kool-Aid. Come to Linux. It's where all the cool kids are.
>>>
>>> I've been using CentOS withe EPEL and Remi repos for some time now after moving from OS X and have ZERO regrets.
>>>
>>> Thanks,
>>> Steffan Cline
>>> [hidden email]
>>> 602-793-0014
>>>
>>>> On Sep 10, 2015, at 10:48 AM, Maxwell Klein <[hidden email]> wrote:
>>>>
>>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>>
>>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>>
>>>>  http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>>
>>>> HTH,
>>>> Max
>>>>
>>>>
>>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>>
>>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>>
>>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>>
>>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>>
>>>>> -Trevor
>>>>>
>>>>>
>>>>>
>>>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>>
>>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>>
>>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>> Gordon Nord
>>>>>> Nord Consultants
>>>>>> Ashburn VA 20147-7148 USA
>>>>>> [hidden email]
>>>>>>
>>>>>> ---------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> #############################################################
>>>>>>
>>>>>> This message is sent to you because you are subscribed to
>>>>>> the mailing list Lasso [hidden email]
>>>>>> Official list archives available at http://www.lassotalk.com
>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>> Send administrative queries to  <[hidden email]>
>>>>>>
>>>>>
>>>>>
>>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>> +1 on Trevor’s and Steve’s advice here - I’m one of the Linux monkeys Steve trained. It was hard to let go and make the leap to Linux, but when Apple pulled the plug on the Xserve it was clear they’d become a fully consumer-centric operation - and who could blame them. Now that I’m past the steeper parts of the learning curve with Linux/CentOS I’m very glad to have an OS that’s more suited to running web servers, and doesn’t constantly insist on installing iTunes and the latest OS.
>>>
>>> It may be a little dated, and there are more complete articles out there on PCI/Linux security, but this was a helpful and encouraging article from Chris Wik as I made the transition:
>>>
>>> http://www.cwik.ch/2013/01/setting-up-a-centos-6-server-to-host-a-secure-site/
>>>
>>> HTH,
>>> Max
>>>
>>>
>>>> On Sep 9, 2015, at 4:38 PM, Trevor Borgmeier <[hidden email]> wrote:
>>>>
>>>> We have been maintaining PCI compliance with an old Mac Pro limited to Snow Leopard.  But, we've replaced just about every OS X included software in the stack with version compiled from source ... apache, php, openssl, openssh, pureftpd, curl, ... basically everything.
>>>>
>>>> Depending on your situation, it may be better to consider migrating to another machine and OS.  Lasso runs on CentOS and then you'll get the benefit of package managers, etc. which should make it much easier to maintain.  Compiling from source isn't so bad once you've done it, but some packages can be quite challenging depending on their needs, dependencies etc.  Given our hardware doesn't support OS's greater than snow leopard meant we were also limited to a max version of X Code making it difficult to install certain software from source.
>>>>
>>>> Once you've went through it and got everything compiled, etc everything in place, and using the necessary updated dependencies then maintaining PCI compliance isn't so bad, but getting there will take a good amount of effort and likely won't be too pleasant to do on a live/active production server.  All in all, I'd recommend investing in migrating to a linux distro if possible. Like compiling everything from source, it may mean a learning curve for you, but it may save you more time in the long run...
>>>>
>>>> -Trevor
>>>>
>>>>
>>>>
>>>> On 9/9/15 4:24 PM, Gordon Nord wrote:
>>>>> Those of you that run commerce sites may know the answer to this question.
>>>>>
>>>>> I am running Mac OS 10.8.5, apache 2.2.9, openSSL 0.9.8zg and using authorize.net <http://authorize.net/> net which uses Trustwave to check up on PCI compliance. I am good on every question except my system still supports TLS1.0. That is the point of failure. I am not sure where to go from here because I am dependent on Apple to update the system which is currently up to date security wise.
>>>>>
>>>>> Trustwave asks us to fill out a Risk Mitigation and Migration Plan for PCI DSS 3.1 that will hold them off until June 2016. If anyone out there has done this we are happy to reimburse you for your time and expertise.
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>> Gordon Nord
>>>>> Nord Consultants
>>>>> Ashburn VA 20147-7148 USA
>>>>> [hidden email]
>>>>>
>>>>> ---------------------------------
>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>>
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list Lasso [hidden email]
>>>>> Official list archives available at http://www.lassotalk.com
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>
>>>>
>>>> ɹǝıǝɯƃɹoq ɹoʌǝɹʇ
>>>>
>>>>
>>>> #############################################################
>>>>
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso [hidden email]
>>>> Official list archives available at http://www.lassotalk.com
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>  the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
>#############################################################
>
>This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
>Official list archives available at http://www.lassotalk.com
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>