I recently ran my website through the Qualsys SSL Labs SSL Test. My website got a grade "F" with this message attached:
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.
Being bothered by this, I contacted my web host about my concerns, and the response they gave me was:
The scoring is false, since the distro we using, it uses Open SSL, but it is patched while retaining the original numbering version. it is already patched but Redhat do not change the OpenSSL version to latest version due to how they build their packages.
This sounded fishy to me, since I didn't think it made sense for such a test to check what version of OpenSSL is running (how do you even check for that from the "outside"?), but rather to test that the vulnerability is present by trying to execute an attack against it. So I complained some more, including letting them know that other vulnerability testers mark it as vulnerable. Their response to that was:
It is already patched. Just they report it as bad due to the version number reported when checking it. Lot of checkers fails it due to that specfic reason itself.
Should I trust the response from my web host, or should I run as far away as I can as quickly as I can? If they are telling the truth, are there vulnerability testers that are not fooled by incorrect OpenSSL version numbers?
