F Rating for helloworld.letsencrypt.org on Qualys SSL Labs [Fixed]

I hate to be a buzzkill, but you should probably look into fixing the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) on https://helloworld.letsencrypt.org to improve your F rating: https://www.ssllabs.com/ssltest/analyze.html?d=helloworld.letsencrypt.org. Having this issue might hurt some folks’ confidence in you.

Edit: Thanks for the quick turnaround with fixing this issue. Good work!

2 Likes

Hi Okwolf.

Thanks for bringing this up! I’ve raised the issue with our ops team to discuss remediation.

1 Like

Hi again Okwolf,

Just wanted to leave you a note to say that the issue has been fixed. https://helloworld.letsencrypt.org is showing an “A” rating now that CVE-2016-2107 is addressed.

Thanks again for pointing out that oversight.

3 Likes

I still see the same issue for my site

https://www.ssllabs.com/ssltest/analyze.html?d=thetascript.com

Note that this is a server configuration issue, and not something that is related to the certificate. Make sure that your server has installed all available updates (especially for OpenSSL) and that your server configuration is okay. The Mozilla SSL Configuration Generator is a good starting point.

2 Likes

To add on to @pfg’s reply, if you are using OpenSSL you will need to make sure that you update to OpenSSL version 1.0.2h or newer if you use the 1.0.2x release, or version 1.0.1t or newer if you use the 1.0.1x release.

2 Likes

Yup ssllabs now tests for CVE-2016-2107 and problem is directly related to OpenSSL needing 1.0.2h or if you're using LibreSSL at least 2.3.4+. Test your sites via Test your server for yet another CBC padding oracle (CVE-2016-2107) as well to see if your web server and underlying OpenSSL is vulnerable

My server is running OpenSSL 1.0.2h but I am still getting an F rating saying I am vulnerable. What else should I be checking. Here is my SSL config right now for NGINX.

http://pastebin.com/AtBMV8xu

EDIT: I think i figured it out. I need to rebuild NGINX to use the new version of OpenSSL.

$ sudo nginx -V
nginx version: nginx/1.10.0
built with OpenSSL 1.0.2g-fips  1 Mar 2016`

yup especially if you source compiled nginx

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.