I ran a compliance check on an SSL certificate that I got from Let’sEncrypt and learned that the version of OpenSSL used to generate the certificate is no longer supported by the vendor. No further security patches or upgrades will be released by the vendor for this version, and the vendor will not evaluate this version when investigating new vulnerability reports.
As a result, vulnerability exists in the detected version of OpenSSL and they recommend upgrading to OpenSSL 1.0.2g version
Question: Does Let’sEncrypt plan to upgrade to the new version of OpenSSL (1.0.2g or better)?
Not sure why the compliance tool reports this as an OpenSSL certificate. Compliance tool was from https://www.pcirapidcomply.com/.
However, here are additional details about potential vulnerability
Description: OpenSSL - fmtstr function improperly calculates string lengths
The detected version of OpenSSL is known to have a vulnerability which allows attackers to obtain sensitive information or cause denial of service because the function |fmtstr| can do a out-of-bounds read and the function |doapr_outch| can do a out-of-bounds write when receiving large amounts of data.
Note: OpenSSL recognises this vulnerability as CVE-2016-0799, and this CVE is referenced in the Security Advisory from 01 March 2016. NVD, and some other sources, split this vulnerability into 2 CVEs: CVE-2016-0799 and CVE-2016-2842. Patch referenced in URLs section addresses both issues.
Remediation: OpenSSL has patched this vulnerability in versions 1.0.1s, and 1.0.2g. Update to one of the specified versions or the newest available version.
I’m not sure how that CVE would affect certificates?
Can you tell more about the compliance check besides just the URL to some company? Screenshots of the output? How does the check work? Do you input a site? Or a certificate as a file?
Then I simply asked the compliance tool to scan the web server using a URL on that server - www.solutionshill.com in this case. The compliance tool is a paid service from TransAmor, so it’s not open to the public.
Here’s a screenshot of the the compliance test report.
And what info or thought led you to the conclusion it’s the certificate this tool is reporting about? I’m thinking it reports problems with the OpenSSL version of the webserver!
This reflects the software that is installed on your web server, and not a property of the certificate. The compliance tester error is responding to this header rather than to anything related to the certificate.
Let's Encrypt was not responsible for installing this particular software on your computer.
Overall it looks like you have a good configuration and an update of the OpenSSL library or web server may patch vulnerabilities.
The only odd thing is that you are returning 3 certificates with your server certificate being sent twice.
Looking at the headers you are using openssl 1.0.1K. You can view the changes in the latest release here: https://www.openssl.org/news/openssl-1.0.1-notes.html. I agree with TransAmor assessment that updating to a newer version of OpenSSL is a good idea (lots of CVEs worked on between K and T)
HOWEVER - before doing any upgrades you should verify that your web server (APACHE) can you the new version and that there are no issues
It’s likely some distro package of Apache and OpenSSL that is based on an old version but has all relevant security patches backported. Security scanners that warn based only on reported version numbers can be utterly misleading.
The certificate chain view of SSLLabs doesn't show the SAN field for the certs in the chain. In reality, this "extra" cert is the same as the end leaf certificate (also with Common Name the www subdomain, with the "bare" subdomain in the SAN field, check completely at the top of the SSLLabs report to see the cert).
Although I agree it's not necessary to send the end leaf certificate twice, it's not a different certificate
