Hi Kevin, You write on the https://kevinworthington.com/ site:
> This release was built using OpenSSL 1.0.2g – upgrading is advised. but both Stable version 1.10.0 (64-bit) 26 Apr 2016 and Mainline version 1.9.15 (64-bit) 20 Apr 2016 are built with OpenSSL 1.0.1g 7 Apr 2014, which have serious security problem: OpenSSL CCS vuln. (CVE-2014-0224) described on https://blog.qualys.com/ssllabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable and https://www.openssl.org/news/secadv/20140605.txt. One can easy verify it by usage nginx -V: C:\nginx>nginx -V nginx version: nginx/1.10.0 built by gcc 4.8.2 (GCC) built with OpenSSL 1.0.1g 7 Apr 2014 TLS SNI support enabled configure arguments: ... The tests from https://www.ssllabs.com/ssltest/ and https://www.htbridge.com/ssl/ confirm the same too. Could you rebuild the binaries with OpenSSL 1.0.2g and to provide there on https://kevinworthington.com/nginx-for-windows/ ? Thanks in advance Oleg Posted at Nginx Forum: https://forum.nginx.org/read.php?2,266381,266429#msg-266429 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
