New to this forum, but I want to determine if the Qualys ssl scanner is testing for this recent vulnerability.
Please see The specified item was not found..
Scanning CVE-2016-2018 is ready. We are going to deploy tomorrow morning on dev.ssllabs.com.
Is this discussion on the same problem? CVE -CVE-2016-2018 and CVE -CVE-2016-2108? It is probably about later (openSSL vulnarability), isn't it.
Sorry, it is for CVE-2016-2107 (From https://www.openssl.org/news/secadv/20160503.txt). We are going to release on monday. There is little delay from original plan.
If other interested, test was released on dev.ssllabs.com. I caught one server with this problem:
Link points to: https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/
We have deployed detection for CVE-2016-2107 on dev.ssllabs.com. We are giving advance notification for the grading criteria changes. Currently If the server is found to be vulnerable to this attack, grades are capped to C. Grades will be set to F from 06/06/2016. SSL Labs Grading update Notifications are released here.
I suggest to add your link to home page at News section: https://www.ssllabs.com/
I don't know about others, but the first think I look at when typing in ssllabs.com is the News section.
A link to the blog post displays under News at https://www.ssllabs.com/ now.
It was supposed to appear there automatically when the blog post first published, but a process bug (that we are now fixing) caused that not to happen. Thanks for the heads up.
I made a test of one server on dev.ssllabs.com and it gets C because of CVE-2016-2107, but still gets A+ on www.ssllabs.com. Is this OK? This test is currently is not implemented on production machine is it?
Not yet in Production - ssllabs.com.
A search of the Qualys Knowledge Base shows two entries for this CVE.
One requires Authentication to detect but the other does not. However; the remote discovery (no auth) would be listed as a potential not as a confirmed vulnerability. In this case you could do a scan and then locate all the potentials and then try and do a more narrow authenticated scan to confirm the issue on those devices.
Please let me know if you need any other information.
Retrieving data ...