CVE-2014-0224 (CCS Injection) and node.js

[ren....@cenx.com]

I've been tasked with updating an old system running node.js, handing SSL hand shakes. I was able to update the node binary (custom install), but I don't feel as though the CVE-2014-0224 (CCS Injection) vulnerability is actually fixed. The testing tool Breacher used to show we failed (reason for the update) but after updating, it doesn't show a response at all. Another tool (nmap script I believe) shows that node is disconnecting the session immediately when trying to test. Is this the correct behavior? Will this fix the hole and allow our site to pass the SSLLabs scan and give us something other than an F?

[Ryan Schmidt]

> On Jan 28, 2015, at 9:14 AM, ren....@cenx.com wrote:
>
> I've been tasked with updating an old system running node.js, handing SSL hand shakes. I was able to update the node binary (custom install), but I don't feel as though the CVE-2014-0224 (CCS Injection) vulnerability is actually fixed. The testing tool Breacher used to show we failed (reason for the update) but after updating, it doesn't show a response at all. Another tool (nmap script I believe) shows that node is disconnecting the session immediately when trying to test. Is this the correct behavior? Will this fix the hole and allow our site to pass the SSLLabs scan and give us something other than an F?

Which version of node are you now running?

Are you using the version of openssl that ships with that version of node, or a different version of openssl, and if the latter, which one?

[ren....@cenx.com]

I now have v0.10.36 running on a testing environment. I believe it only uses it's statically linked SSL libs, as I'm using the binary download.

[ren....@cenx.com]

Ok, I was able to get a different server online running the same version the SSL checks at Qualys give it a passing grade, so I guess the fact that it disconnects during a CCS Injection attempt is going to be just fine. Different testing tools will react differently clearly.

Thanks for the help anyway!