How does www.ssllabs.com determine if a server has patched for the CVE-2016-2107 vulnerability? I believe my websites are incorrectly showing as being vulnerable. I'd rather not post an example website if at all possible.
A "Test your server" run from https://www.ssllabs.com reports that my websites are vulnerable to
OpenSSL Padding Oracle vuln.
I believe this is due to the way Red Hat machines handle versioning. The initially installed package is always reported, and the change log must mined to find the latest patches and bug fixes.
Here is what you get when you ask the server for its openssl version:
[root@~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
However, when the change log is checked, it is clear this server has the fix for CVE-2016-2107:
[root@ ~]# rpm -qa --changelog openssl | grep 2107
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
We sometimes have customers running our sites through this tool and would like a way for me to have our
sites show up correctly.