I seen my vps was vulnerable to this by checking https://www.ssllabs.com/ssltest/index.html I think we need to get this issue addressed.
Hi mrgeekchris
Sorry, I’ve just tested one of our SSL and cannot see freak listed.
Is it cve-2014-0224
If so, I thought this had been resolved and you may need to upgrade your OpenSSL if your showing as vunerable.
I could be wrong so I apologise in advance, but if you could post your result showing the freak failure or how best to test for it.
Many thanks
John
“FREAK”, also known as CVE-2015-0204, is a client vulnerability - not a server vulnerability. It had a patch pushed by Red Hat in January via RHSA-2015-0066 (click the link for information on that change set). Red Hat’s analysis of the attack can be found here - they’re convinced it’s an extremely low-risk attack.
You can also directly test your server by logging in and running the command ‘curl https://dev.ssllabs.com:10444/’. If that command fails with any error message, your server’s OpenSSL version is not vulnerable. I’ve tested on a half-dozen customer machines as well as my own InterWorx servers (both company-owned and my personal rig) and can confirm that CentOS’s version of openssl-1.0.1e-30 is not vulnerable.
Alright. I think I miss read something just got alittle freaked out