Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CentOS/RHEL 7 postfix false postives #484

Closed
clickbg opened this issue Sep 28, 2016 · 3 comments
Closed

CentOS/RHEL 7 postfix false postives #484

clickbg opened this issue Sep 28, 2016 · 3 comments
Labels
bug wontfix

Comments

@clickbg
Copy link

clickbg commented Sep 28, 2016

On CentOS 7.2.1511 running postfix postfix-2.10.1-6.el7.x86_64 and OpenSSL openssl-1.0.1e-51.el7_2.5.x86_64.
Heartbleed, CCS and Secure Client-Initiated Renegotiation are reported as VULNERABLE even tough the official CentOS/RHEL advisory is that this is fixed in the packages listed above.

Is this problem with the script or CentOS/RH did not patch vulns from 2014?

--> Testing vulnerabilities

Heartbleed (CVE-2014-0160) VULNERABLE (NOT ok)
CCS (CVE-2014-0224) VULNERABLE (NOT ok)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway)
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention supported (OK)
FREAK (CVE-2015-0204) not vulnerable (OK) (tested with 4/9 ciphers)
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK) (tested w/ 2/4 ciphers only!), common primes not checked.
BEAST (CVE-2011-3389) no SSL3 or TLS1
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)

Thanks!
@drwetter
Copy link
Owner

openssl-1.0.1e-51.el7_2.5.x86_64. seems to be from Jan 2016, so I doubt it is vulnerable.

Could you please provide more input, at least version of testssl and command line params

Is a public IP (pm ist fine)?

@clickbg
Copy link
Author

clickbg commented Sep 28, 2016

Hi,

Sorry I forgot to list it.
The testssl.sh version is:

testssl.sh       2.6 from https://testssl.sh/    
(1.379c 2015/09/29 16:47:47)

The latest one from https://testssl.sh/testssl.sh
Execution parameters are:
./testssl.sh -U --starttls smtp [HOST]:587

It gives the same result without the -U flag as well - ./testssl.sh --starttls smtp [HOST]:587

I will send you the two public IPs on pm.

Thanks for the fast reply.

@drwetter
Copy link
Owner

drwetter commented Oct 2, 2016

Hi @clickbg ,

thanks for reporting.

I can confirm the false positive for 2.6 with your IPs. It works as expected in the current stable master (2.8.) though.

Unless somebody jumps in and looks into this bug and fixes it, there won't be so much happening here.

My focus is on getting 2.8 finalized and 2.9dev pushed. There has been tons of bug fixes and new features in 2.8. Please use this current master.

Cheers, Dirk

@drwetter drwetter closed this as completed Oct 2, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drwetter @clickbg