I have updated openssl-1.0.1e to openssl-1.0.1t but I am still getting an F rating


#1

I have tested website on Qualys ssl lab and get F rating with following error:
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

I have updated openssl to 1.0.1t but I am still getting an F rating.


#2

Are you happy to provide the domain name, so we can do some checks ? have you restarted things properly ? is openssl 1.0.1t being used ?


#3

Has your webserver been restarted? Perhaps it still uses the old libraries from memory…


#4

Yes i have already restarted apache server.


#5

Please check domain name:xxxxxxxx


#6

Looking at the site, it’s reporting still using the older version …

What version does the command line say you are running ?

openssl version

If that says it’s 1.0.1t then is it possible to restart the server to ensure everything is loading / using that version ?


#7

Maybe the webserver was statically rather than dynamically linked against OpenSSL?


#8

good point, hadn’t thought of that.


#9

Thanks to all problem is solved

Before I installed the tar file of openssl and create soft links for that.
$ cd /usr/src2.
$ wget https://www.openssl.org/source/openssl-1.0.1t.tar.gz -O openssl-1.0.1t.tar.gz3.
$ tar -zxf openssl-1.0.1t.tar.gz4.
$ cd openssl-1.0.1t$ ./config
$ make
$ make test
$ make install
$ ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

But the above procedure is wrong, below is the correct solution:

Solution
$ yum update openssl

And restart apache server.


#10

:fearful: :stuck_out_tongue_closed_eyes:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.