Bug #7632
closed
Added by Adrian James almost 7 years ago.
Updated almost 7 years ago.
Affected Architecture:
amd64
Description
pfSense 2.3.4 uses OpenSSL 1.0.1s which is vulnerable to CVE-2016-2107 Oracle Padding attack. HAProxy TLS termination for front ends uses this and so makes services dependent on it vulnerable.
- Status changed from New to Rejected
We have 2.3.4 in use, hosting a website with HAProxy TLS offload. SSLLabs confirms that it is vulnerable to Oracle Padding when tested. When I do 'openssl version' in pfSense it reports 1.0.1s which OpenSSL says is vulnerable and suggest upgrading to 1.0.1t to fix.
From what I can tell 2.3.5 and 2.4 both come with updated OpenSSL packages which will fix the issue.
The issue was reintroduced into OpenSSL in April when another bug was patched (CVE-2013-0169).
Sorry, I follow what you are saying now!
The SSLLabs test still says that we are vulnerable when we test the site. Does HAproxy use it's own OpenSSL package or the system one?
Are you certain that your pfSense installation is current? We ran that same test against a 2.3.4 system with HAProxy and ssllabs said it was not vulnerable.
Perhaps the test was hitting some other host or was not using SSL offloading so it was really testing the backend server?
At this point you are better off starting a thread on the forum in the cache/proxy board to discuss the problem.
Also available in: Atom
PDF
Updated by 
Updated by