On Thursday, January 29, 2015 at 3:12:22 PM UTC-5, [email protected] wrote: > > On Thursday, January 29, 2015 at 1:26:52 PM UTC-5, ryandesign wrote: >> >> >> > On Jan 28, 2015, at 9:14 AM, [email protected] wrote: >> > >> > I've been tasked with updating an old system running node.js, handing >> SSL hand shakes. I was able to update the node binary (custom install), but >> I don't feel as though the CVE-2014-0224 (CCS Injection) vulnerability is >> actually fixed. The testing tool Breacher used to show we failed (reason >> for the update) but after updating, it doesn't show a response at all. >> Another tool (nmap script I believe) shows that node is disconnecting the >> session immediately when trying to test. Is this the correct behavior? Will >> this fix the hole and allow our site to pass the SSLLabs scan and give us >> something other than an F? >> >> Which version of node are you now running? >> >> Are you using the version of openssl that ships with that version of >> node, or a different version of openssl, and if the latter, which one? >> >> I now have v0.10.36 running on a testing environment. I believe it only > uses it's statically linked SSL libs, as I'm using the binary download. >
Ok, I was able to get a different server online running the same version the SSL checks at Qualys give it a passing grade, so I guess the fact that it disconnects during a CCS Injection attempt is going to be just fine. Different testing tools will react differently clearly. Thanks for the help anyway! -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/3760087e-344a-4fae-bd3a-b39df9be844f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
