You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please make sure that you provide enough information so that we understand what your issue is about.
testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)
testssl.sh 2.9.5-4 from https://testssl.sh/
what exactly was happening, output is needed
During a webserver test I discovered that it is potentially vulnerable to LUCKY13.
The server which is running the nginx webserver is an up-to-date Centos7 with: OpenSSL 1.0.2k-fips 26 Jan 2017
Since:
-the openssl advisory says that it is fixed in 1.0.1e, 1.0.0k or 0.9.8y
-the openssl advisory says something about partial fix
I'm wondering if it is a false positive, or there was (maybe) an error into the downstream openssl package
steps to reproduce
testssl.sh -L $URL
openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)
CLIENT: /usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")
openssl version
OpenSSL 1.0.2q 20 Nov 2018
SERVER: Using "OpenSSL 1.0.2k-fips 26 Jan 2017" [~118 ciphers]
your operating system (uname -a)
CLIENT:
Linux spectre 4.14.83-gentoo openssl bins #7 SMP PREEMPT Tue Jan 8 12:15:22 CET 2019 x86_64 Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz GenuineIntel GNU/Linux
SERVER:
Linux host 3.10.0-957.1.3.el7.x86_64 Heartbleed for STARTTLS #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Please make sure that you provide enough information so that we understand what your issue is about.
testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)
testssl.sh 2.9.5-4 from https://testssl.sh/
what exactly was happening, output is needed
During a webserver test I discovered that it is potentially vulnerable to LUCKY13.
The server which is running the nginx webserver is an up-to-date Centos7 with: OpenSSL 1.0.2k-fips 26 Jan 2017
Since:
-the openssl advisory says that it is fixed in 1.0.1e, 1.0.0k or 0.9.8y
-the openssl advisory says something about partial fix
I'm wondering if it is a false positive, or there was (maybe) an error into the downstream openssl package
steps to reproduce
testssl.sh -L $URL
openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)
CLIENT: /usr/bin/openssl
(built: "reproducible build, date unspecified", platform: "linux-x86_64")
openssl version
OpenSSL 1.0.2q 20 Nov 2018
SERVER: Using "OpenSSL 1.0.2k-fips 26 Jan 2017" [~118 ciphers]
your operating system (uname -a)
CLIENT:
Linux spectre 4.14.83-gentoo openssl bins #7 SMP PREEMPT Tue Jan 8 12:15:22 CET 2019 x86_64 Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz GenuineIntel GNU/Linux
SERVER:
Linux host 3.10.0-957.1.3.el7.x86_64 Heartbleed for STARTTLS #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux