Why does OpenSSL CCS Injection Detector says openssl as vulnerable, even after updating openssl package ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux

  • OpenSSL CCS Offline Injection Detector

Issue

  • How to get rid of below error message even after updating openssl.
# ./fake-client-early-ccs.pl localhost 443
Got server response, size: 1023
- Handshake - Server Hello
- Handshake - Certificate
- Handshake - Server Key Exhange
- Handshake - Server Hello Done
FAIL Remote host is affected

Resolution

  • httpd service should be restarted after updating openssl
# service httpd restart

Root Cause

  • This tool does only work for httpd, not for other applications.

  • httpd service should be restarted.

  • httpd from apach.org needs to be recompiled with new openssl library.

Diagnostic Steps

1. Perform the detector before upgrading openssl.

# ./fake-client-early-ccs.pl localhost 443
Got server response, size: 1023
- Handshake - Server Hello
- Handshake - Certificate
- Handshake - Server Key Exhange
- Handshake - Server Hello Done
FAIL Remote host is affected

2. Check the current version of openssl which is vulnerable.

# rpm -qa | grep openssl

3. Update openssl

# yum update openssl -y

4. Perform the Detector again, then it still says "FAIL Remote host is affected"

# ./fake-client-early-ccs.pl localhost 443
Got server response, size: 1023
- Handshake - Server Hello
- Handshake - Certificate
- Handshake - Server Key Exhange
- Handshake - Server Hello Done
FAIL Remote host is affected

5. Check httpd with 'lsof'

# lsof|grep mod_ssl|grep httpd

6. Restart the httpd service

# service httpd restart

7. Perform the Detector test again to verify.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.