AnsweredAssumed Answered

False ssllab ratings for OpenSSL CCS vulnerability?

Question asked by Clair Staley on Jun 24, 2014
Latest reply on Jun 26, 2014 by Clair Staley


Using, my server is given an "F" rating for the following reason:  Experimental: This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.


Here is my server:



The above appears to be invalid for RHEL v6:


I am running the patched version from RH:


christopher@Netrunner:~$ ssh

Warning: Permanently added '[]:2200' (RSA) to the list of known hosts.

root@'s password:

Last login: Wed Jun 11 13:01:21 2014 from

root@host [~]# rpm -qa | grep openssl



root@host [~]# cat /etc/*release

CentOS release 6.5 (Final)

CentOS release 6.5 (Final)

CentOS release 6.5 (Final)


Just to make sure, I tried forcing an update of OpenSSL, but I do in-fact have the latest patched update:


root@host [~]# yum update openssl --force

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base:

* extras:

* updates:

base | 3.7 kB 00:00

extras | 3.4 kB 00:00

updates | 3.4 kB 00:00

Setting up Update Process

No Packages marked for Update


If I am correct, can you please change the way SSLLABS rates for the OpenSSL CCS vulnerability, so that it doesn't give an indiscriminate "F"?