Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL Labs says SSL is vulnerable, gives grade F #729

Closed
khromov opened this issue Jun 7, 2016 · 12 comments

Comments

Projects
None yet
7 participants
@khromov
Copy link

commented Jun 7, 2016

After running SSL Labs on a newly created site with --php7 --letsencrypt flags and running it through the SSL Labs Test I was surprised to get an F score. Seems there is an unpatched vulnerability in EasyEngine.

2016-06-07 02_06_37-ssl server test_ khromov se powered by qualys ssl labs

  • lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.4 LTS
Release:        14.04
Codename:       trusty
  • ee -v
EasyEngine v3.6.2
Copyright (c) 2016 rtCamp Solutions Pvt. Ltd.
  • ee info
NGINX (1.10.0):

user                             www-data
worker_processes                 auto
worker_connections               4096
keepalive_timeout                30
fastcgi_read_timeout             300
client_max_body_size             100m
allow                            127.0.0.1

PHP (5.6.22-2):

user
expose_php                       Off
memory_limit                     128M
post_max_size                    100M
upload_max_filesize              100M
max_execution_time               300

Information about www.conf
ping.path                        /ping
pm.status_path                   /status
process_manager                  ondemand
pm.max_requests                  500
pm.max_children                  100
pm.start_servers                 20
pm.min_spare_servers             10
pm.max_spare_servers             30
request_terminate_timeout        300
xdebug.profiler_enable_trigger   off
listen                           127.0.0.1:9000

Information about debug.conf
ping.path                        /ping
pm.status_path                   /status
process_manager                  ondemand
pm.max_requests                  500
pm.max_children                  100
pm.start_servers                 20
pm.min_spare_servers             10
pm.max_spare_servers             30
request_terminate_timeout        300
xdebug.profiler_enable_trigger   on
listen                           127.0.0.1:9001

MySQL (10.1.14-MariaDB) on localhost:

port                             3306
wait_timeout                     600
interactive_timeout              28800
max_used_connections             11
datadir                          /var/lib/mysql/
socket                           /var/run/mysqld/mysqld.sock
my.cnf [PATH]                    /etc/mysql/conf.d/my.cnf
  • wp --allow-root --info
PHP binary:     /usr/bin/php7.0
PHP version:    7.0.7-2+donate.sury.org~trusty+1
php.ini used:   /etc/php/7.0/cli/php.ini
WP-CLI root dir:        phar://wp-cli.phar
WP-CLI packages dir:    /root/.wp-cli/packages/
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 0.23.0
@rsmith4321

This comment has been minimized.

Copy link

commented Jun 7, 2016

I just tested mine and I get an A+ for my easyengine setup site. So this
is something specific to your configuration it's not related to
easyengine. I don't know why everyone files bug reports instead of
researching their specific issue.

On Mon, Jun 6, 2016 at 8:08 PM, Stanislav Khromov notifications@github.com
wrote:

After running SSL Labs on a newly created site with --php7 --letsencrypt
flags and running it through the SSL Labs Test:

I get the following score:

[image: 2016-06-07 02_06_37-ssl server test_ khromov se powered by qualys
ssl labs]
https://cloud.githubusercontent.com/assets/1207507/15841844/7e0f1586-2c54-11e6-9477-ce374ccf26de.png

  • lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.4 LTS
Release: 14.04
Codename: trusty

  • ee -v

EasyEngine v3.6.2
Copyright (c) 2016 rtCamp Solutions Pvt. Ltd.

  • ee info

NGINX (1.10.0):

user www-data
worker_processes auto
worker_connections 4096
keepalive_timeout 30
fastcgi_read_timeout 300
client_max_body_size 100m
allow 127.0.0.1

PHP (5.6.22-2):

user
expose_php Off
memory_limit 128M
post_max_size 100M
upload_max_filesize 100M
max_execution_time 300

Information about www.conf
ping.path /ping
pm.status_path /status
process_manager ondemand
pm.max_requests 500
pm.max_children 100
pm.start_servers 20
pm.min_spare_servers 10
pm.max_spare_servers 30
request_terminate_timeout 300
xdebug.profiler_enable_trigger off
listen 127.0.0.1:9000

Information about debug.conf
ping.path /ping
pm.status_path /status
process_manager ondemand
pm.max_requests 500
pm.max_children 100
pm.start_servers 20
pm.min_spare_servers 10
pm.max_spare_servers 30
request_terminate_timeout 300
xdebug.profiler_enable_trigger on
listen 127.0.0.1:9001

MySQL (10.1.14-MariaDB) on localhost:

port 3306
wait_timeout 600
interactive_timeout 28800
max_used_connections 11
datadir /var/lib/mysql/
socket /var/run/mysqld/mysqld.sock
my.cnf [PATH] /etc/mysql/conf.d/my.cnf

  • wp --allow-root --info

PHP binary: /usr/bin/php7.0
PHP version: 7.0.7-2+donate.sury.org~trusty+1
php.ini used: /etc/php/7.0/cli/php.ini
WP-CLI root dir: phar://wp-cli.phar
WP-CLI packages dir: /root/.wp-cli/packages/
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 0.23.0


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#729, or mute the thread
https://github.com/notifications/unsubscribe/AHWOn1PQOxuiGB6Dvksb6yVeLisiaFHVks5qJLaKgaJpZM4Ivb0n
.

@khromov

This comment has been minimized.

Copy link
Author

commented Jun 7, 2016

Well, the only thing I have done is to install EE and run ee update a couple of times, so I don't understand how this could have happened unless there is a bug inside EE.

@w33zy

This comment has been minimized.

Copy link

commented Jun 7, 2016

@rsmith4321 Re-run the test on that site that scored A+

I just did and my A+ sites are now getting F's

Edit: CVE-2016-2107 was recently discovered so it is very likely your sites will fail also.
For reference: https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/

@ddelaey

This comment has been minimized.

Copy link

commented Jun 8, 2016

Same here. Does anyone have the solution please?

@Grexy

This comment has been minimized.

Copy link

commented Jun 9, 2016

This is not an error issue this is an issue with certs fr Let's encrypt and most major cert issuers. They need to update their certs to fix the vulnerability. Since it was just found it might be awhile.

@Grexy

This comment has been minimized.

@w33zy

This comment has been minimized.

Copy link

commented Jun 9, 2016

This is not an error issue this is an issue with certs fr Let's encrypt and most major cert issuers. They need to update their certs to fix the vulnerability. Since it was just found it might be awhile.

pfg Community Moderator @ community.letsencrypt.org

Note that this is a server configuration issue, and not something that is related to the certificate. Make sure that your server has installed all available updates (especially for OpenSSL) and that your server configuration is okay. The Mozilla SSL Configuration Generator2 is a good starting point.

@w33zy

This comment has been minimized.

Copy link

commented Jun 9, 2016

@Grexy If this was an issue with the certificates the whole world would be talking about this. It would have been "HeartBleed" all over again, with sys admins and CA's rushing to invalidate current certs and re-issuing them.

This issue is with OpenSSL and Qualys Labs being overly dramatic with their grading system. The certs are OK.

@Grexy

This comment has been minimized.

Copy link

commented Jun 9, 2016

Thanks yes. Originally when I read about the vulnerability I thought the cert was the problem. Now reading through that lets encrypt thread Iunderstand better. Now to figure out why my server is still failing even though I am on OpenSSL 1.0.2h
On Jun 8, 2016 8:49 PM, "Kemory Grubb" notifications@github.com wrote:

@Grexy https://github.com/Grexy If this was an issue with the
certificates the whole world would be talking about this. It would have
been "HeartBleed" all over again, with sys admins and CA's rushing to
invalidate current certs and re-issuing them.

This issue is with OpenSSL and Qualys Labs being overly dramatic with
their grading system. The certs are OK.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#729 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ALm3vLUkf4nLzRQ_jPz5y1B8jbs8i--Uks5qJ2L7gaJpZM4Ivb0n
.

@tersor

This comment has been minimized.

Copy link

commented Jun 9, 2016

I upgraded EE to v3.6.2 via sudo ee update. This also upgraded openssl to v1.0.2h, which should fix the issue: https://www.openssl.org/news/vulnerabilities.html

$ openssl version
OpenSSL 1.0.2h  3 May 2016 (Library: OpenSSL 1.0.2g  1 Mar 2016)

But still, the server is flagged as vulnerable when testing: https://filippo.io/CVE-2016-2107/

$ sudo nginx -V
nginx version: nginx/1.10.0
built with OpenSSL 1.0.2g-fips  1 Mar 2016

My guess is that nginx needs to be rebuilt with the new openssl version.

@iam404 iam404 self-assigned this Jun 9, 2016

@iam404 iam404 added this to the Next milestone Jun 15, 2016

@iam404

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2016

Hi

We have rebuild our OpenSSL and Nginx packages with OpenSSL version 1.0.2h. To fix this issue please upgrade all Nginx and OpenSSL packages/libraries.

To upgrade following command may be useful:

ee stack upgrade --nginx
sudo apt-get upgrade openssl

or

sudo apt-get dist-upgrade

Please note: After upgrading packages if issue still not resolved you may need to reboot the server to fresh reload all the libraries.

After upgrade Nginx and OpenSSL version would be as below:

^_^[root@localhost:~]# openssl version
    OpenSSL 1.0.2h  3 May 2016

 ^_^[root@localhost:~]# nginx -V
    nginx version: nginx/1.10.0
    built with OpenSSL 1.0.2h  3 May 2016
    TLS SNI support enabled

If you face any issue while upgrading please feel free to use our community forum. I am moving this discussion to http://community.rtcamp.com/t/ssl-labs-says-ssl-is-vulnerable-gives-grade-f/6686

@w33zy

This comment has been minimized.

Copy link

commented Jun 15, 2016

@iam404

Everything is OK now, I got back my A+

@iam404 iam404 closed this Jun 22, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.