AnsweredAssumed Answered

How does ssllabs.com determine OpenSSL version?

Question asked by Rachel Parker on Nov 22, 2016
Latest reply on Dec 7, 2016 by Rachel Parker

How does www.ssllabs.com determine if a server has patched for the CVE-2016-2107 vulnerability?  I believe my websites are incorrectly showing as being vulnerable.  I'd rather not post an example website if at all possible.

 

 

A "Test your server" run from https://www.ssllabs.com reports that my websites are vulnerable to


OpenSSL Padding Oracle vuln.
(CVE-2016-2107).

 


I believe this is due to the way Red Hat machines handle versioning.  The initially installed package is always reported, and the change log must mined to find the latest patches and bug fixes.

 

 

Here is what you get when you ask the server for its openssl version:

 


[root@~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

 


However, when the change log is checked, it is clear this server has the fix for CVE-2016-2107:

 


[root@ ~]# rpm -qa --changelog openssl | grep 2107
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC

 

We sometimes have customers running our sites through this tool and would like a way for me to have our
sites show up correctly. 

Thanks!

Outcomes