AnsweredAssumed Answered

False ssllab ratings for OpenSSL CCS vulnerability?

Question asked by Clair Staley on Jun 24, 2014
Latest reply on Jun 26, 2014 by Clair Staley

Hello,


Using ssllabs.com, my server is given an "F" rating for the following reason:  Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.

=======================================

Here is my server:    host.paideiahome.net

=======================================

 

The above appears to be invalid for RHEL v6:

https://rhn.redhat.com/errata/RHSA-2014-0625.html

 

I am running the patched version from RH:

=====

christopher@Netrunner:~$ ssh 162.248.50.40

Warning: Permanently added '[162.248.50.40]:2200' (RSA) to the list of known hosts.

root@162.248.50.40's password:

Last login: Wed Jun 11 13:01:21 2014 from noc.al.privatesystems.net

root@host [~]# rpm -qa | grep openssl

openssl-devel-1.0.1e-16.el6_5.14.i686

openssl-1.0.1e-16.el6_5.14.i686

root@host [~]# cat /etc/*release

CentOS release 6.5 (Final)

CentOS release 6.5 (Final)

CentOS release 6.5 (Final)

=====

Just to make sure, I tried forcing an update of OpenSSL, but I do in-fact have the latest patched update:

=====

root@host [~]# yum update openssl --force

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: ftpmirror.your.org

* extras: centos.hostingxtreme.com

* updates: mirror.beyondhosting.net

base | 3.7 kB 00:00

extras | 3.4 kB 00:00

updates | 3.4 kB 00:00

Setting up Update Process

No Packages marked for Update

=====


If I am correct, can you please change the way SSLLABS rates for the OpenSSL CCS vulnerability, so that it doesn't give an indiscriminate "F"?


Thanks!

Clair

Outcomes