AnsweredAssumed Answered

CVE-2014-0224 test on SSL Labs broken?

Question asked by Joseph Hall on Apr 1, 2015
Latest reply on Apr 2, 2015 by Adm Selec

Hi, we noticed that we got an "F" at SSL Labs' Server Test due to CVE-2014-0224.


We patched and re-ran the test and are still getting an F: SSL Server Test: (Powered by Qualys SSL Labs)


CVE-2014-0224 mitigation involves patching openssl+libssl and we can verify the patch by running:


$ apt-get changelog openssl | grep CVE-2014-0224


The results should not be empty, and ours appear to be correct:


$ apt-get changelog openssl | grep CVE-2014-0224

    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after

    - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using

    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec

    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master

    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in

    - CVE-2014-0224


So, we're at a loss as to what to do next... is the SSL Labs' Server test correct here?


best and thanks much for your eyeballs, Joe