is there any explanation how excatly ssllabs check CVE-2019-1559? Can I perform this check manually? Oracle (as a vendor of an HTTP Server) is asking for this in order to verify, if this is actually a thread. (0-Lenght OpenSSL vuln).
Manual verification can be done by running `openssl version`. Versions greater than or equal to 1.0.2 and less than 1.0.2r are vulnerable according to the OpenSSL security advisory.
Oracle http server does not use openssl. So that's why I wonder how this test is technically done (remotely).
I don't use Oracle HTTP Server, so I could be wrong, but are you sure they don't use OpenSSL? As far as I can tell, from searching the internet, OHS is based on Apache HTTP Server.
ORACLE-BASE - Oracle HTTP Server (OHS) 11g and 12c : Configure SSL
ORACLE-BASE - Linux HTTP Server Configuration
And, the first instruction on that page is to install mod_ssl and its dependency OpenSSL.
Unfortunately, I personally, do not know how the remote check is implemented.
Thanks for the reply. Basically you're absolutely right and oracle http server is an Apache "fork". Regarding SSL however this is not true, they use their own ssl module mod_ossl (oracle ssl) over the usual openssl module from Apache. Of course eventually this is simply another fork, but nevertheless it then has different version numbers. So checking just the version does not work.
So it would really be helpful to find out how that is determined. Especially since e.g. Support.oracle.com is also Oracle HTTP Server and does not show this error.
Cross-linking potentially related discussions.
CVE-2019-1559: ssllabs scan returns different results scanning the same server
nshah, can you share how to manually test/verify CVE-2019-1559? From reading the CVE, it reads like the test would involve a custom SSL client that can send zero byte records and may not be easily replicated with standard tools like cURL.
Retrieving data ...