AnsweredAssumed Answered

OpenSSL Padding Oracle vulnerability (CVE-2016-2107)

Question asked by william harvey on Dec 15, 2016
Latest reply on Dec 17, 2016 by Busby

Hi there,

 

I have a test server running Centos 6.8 and can't overcome this message: 

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

I believe it's to do with open openssl and I have the latest version OpenSSL 1.1.0c  10 Nov 2016.
Could it be to do with my Ciphers?
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:!RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
SSLHonorCipherOrder on

 

The test domain I'm running is this. SSL Server Test: biduno.com (Powered by Qualys SSL Labs) 

 

Any help would be very much appreciated.

 

Regard

William

Outcomes