2

We have a privately hosted production system and an AWS machine we use for testing. Both systems have the same structure:

  • SSL termination with haproxy,
  • passing to an Apache server hosting a rails website,
  • plus a load of auxiliary services etc.

My attempts at hardening our system in haproxy:

ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
tune.ssl.default-dh-param 2048

On AWS our system got an A on the Qualys SSL labs test (ignoring trust issues as we didn't pay for a verified certificate on our private test system).
On our production, the system got a solid F, citing the (CVE-2016-2107) vulnerability. Apparently the fix is to upgrade openssl version (presently 1.0.1e on both systems... !)

I'm curious, though, as to why this was an issue on our privately hosted server but not on AWS? I'm asking because we always try things out on AWS before our production machine to see if e.g. a software upgrade breaks anything, so I'd like to be aware of some intrinsic difference in that environment so that I don't get caught out on the live version...

Many thanks in advance.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
rwold
  • 131
  • 4
  • Potentially relevant: the command `openssl version` gives the same answer on both systems. However, `yum list openssl` describes slightly different *packages*: 1:1.0.1e-60.el7_3.1 on AWS, 1.0.1e-30.el6_6.5 on the live. – rwold May 17 '17 at 08:16

1 Answers1

1

My "potentially relevant comment" was actually the key. Because software updates can be fraught with compatibility issues, yum update doesn't update the openssl version (which both systems showed me was 1.0.1e) but instead updates the packages to include security patches. You can see that the version on AWS was more up-to-date than on production, but both packages related to the same 1.0.1e version (presumably, this means that the API is frozen in time against upgrades). Anyone interested can read more about it here:

https://access.redhat.com/security/updates/backporting

Yum update openssl means both systems now score an A on Qualys.

rwold
  • 131
  • 4
  • If this solved the problem for you, then you should mark this reply as the valid answer. (Even if you answered it yourself.) Otherwise the system will periodically re-bump the question to the homepage in the hopes that someone will answer it. – StackzOfZtuff Sep 14 '17 at 14:56