I am running a server with CentOS 6.5, patched to recent openssl updates via yum update ssl
and with indications the current version indeed has the patch to the vulnerability.
$ sudo rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability
However, a SSLTest scan and Nessus indicate that I'm still vulnerable
This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.
I'm at a loss - should I trust SSLTest and Nessus or the Centos distro and rpm flag?
Note: we always restart all relevant services after patches.