Mitigate FREAK: OpenSSL vulnerability (CVE-2015-0204) on RHEL5

Comments 2

Red Hat doesn't plan to release an OpenSSL patch for RHEL5

We have over 50 RHEL5 servers at our facility. The current OpenSSL version is openssl-0.9.8e-[12-32]

The Red Hat Knowledgebase article (https://access.redhat.com/articles/1369543) gives two examples of how to mitigate FREAK:

1) openssl ciphers MEDIUM
I guess I could write a wrapper script:
a) Rename /usr/bin/openssl to something else
b) Write a script which calls the renamed binary with the two parameters

2) /etc/httpd/conf.d/ssl.conf
SSLCipherSuite HIGH:!aNULL:!MD5:!EXP

Will these two modifications mitigate FREAK?

If not, does anyone know how to mitigate it?

Thanks for any help you can provide,
Scott Bringen

Started 2015-03-16T19:53:51+00:00 by

scott.bringen.C...

Newbie 5 points

Responses

go Community Member 24 points

18 March 2015 3:55 PM

goodinlaw

Excellent question, Mr Bringen!! I've got many RHEL 5 servers, and the 'mitigation' steps in the original article are not very useful.
Also, Are there steps I can take to check and see if the mitigation did any good??
L.T.Goodin

it Newbie 12 points

19 March 2015 12:13 PM

ittralee

freak testers still show an issue on RHEL5 after Mitigation:

https://www.ssllabs.com/ssltest/index.html
https://tools.keycdn.com/freak
http://www.nagios.com/freak-vulnerability-tester

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Mitigate FREAK: OpenSSL vulnerability (CVE-2015-0204) on RHEL5

Responses