SSL vulnerability - apache24/php7

[Kaitux]

hi,

i installed nextcloud with php, apache and mysql (tutorial https://forums.freenas.org/index.php?threads/how-to-nextcloud-10-w-apache-php-and-mariadb.46111/).

The problem is, that the SSL-Lab rating is F, because of the CVE-2016-2107 vulnerability.
I have no idea where the problem is and how to fix it. Thanks for your help

 

[danpoleary]

There is a link about this issue with FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc and solutions. I am unsure what impact these solutions would have with FreeNAS. There was also a recent FreeNAS update that may have already included the fix.

 

[Joshua Parker Ruehlig]

a freenas update would in no way affect thus vulnerability since it sounds like he is using apache with SSL. in the jail, you'll need to update to a non-vunerable version of SSL and compile apache24 from ports

 

[Kaitux]

thx Joshua for the tip, but i didnt help me.
I tried it again with installing nextcloud in a new jail with freshports.

i installed lighttpd and nextcloud both via freshports (drkk installation - fast and easy setup for testing)

after everything configurated and updated

# /usr/local/sbin/lighttpd -v
lighttpd/1.4.41 (ssl) - a light and fast webserver
Build-Date: Aug 18 2016 01:23:39


i got still the CVE-2016-2107 vulnerability...
whats wrong with the setup?
you need more information?

 

[Joshua Parker Ruehlig]

I didn't explain all the details.
you need to compile whatever is doing SSL with the option "WITH_OPENSSL_PORT"

here's an explanation
serverfault.com/a/589867

 

[Kaitux]

thx! it worked this time!!

 

[Kaitux]

btw: i got a warning during the compilation telling me:

Using WITH_OPENSSL_PORT in make.conf is deprecated, replace it with DEFAULT_VERSIONS+=ssl=openssl in your make.conf

so guess DEFAULT_VERSIONS+=ssl=openssl should work as well...

 

[Jailer]

btw: i got a warning during the compilation telling me:

Using WITH_OPENSSL_PORT in make.conf is deprecated, replace it with DEFAULT_VERSIONS+=ssl=openssl in your make.conf

so guess DEFAULT_VERSIONS+=ssl=openssl should work as well...

Correct.

 

[Michael Sparks]

solutions. I am unsure what impact these solutions would have with FreeNAS. There was also a rece

thx! it worked this time!!

What are the CLI commands to fix this vulnerability (CVE-2016-2107)?

 

[Jailer]

What are the CLI commands to fix this vulnerability (CVE-2016-2107)?

It was explained earlier in this post, you compile openssl from ports.

 

[Allan Wilmath]

Why would you run a webserver on your fileserver? Since Jails use the same kernel and memory space as everything else, they are not as secure as it first seems. Also, virtualizing would allow you to do backups of your web server, and offer a little more security as well. Likely there is a Docker consenter for a web server that would have made this whole thread pointless, you just restart the container and it would have updated on it's own.

Just some things to consider.

 

[Jailer]

Why would you run a webserver on your fileserver?

Because they can.

Also, virtualizing would allow you to do backups of your web server, and offer a little more security as well

And add overhead in the process as well.

Likely there is a Docker consenter for a web server that would have made this whole thread pointless

So go start a tutorial thread on how to install and set up docker and stop crapping on this thread. If you have something constructive to add please do.