Host is Vulnerable to Extended Master Secret TLS Extension
244 views
Skip to first unread message
RaaviTech
Mar 5, 2020, 6:06:30 PM3/5/20
to rabbitmq-users
Hi
Internal Vulnerability Scanner has flagged this-
Host is Vulnerable to Extended Master Secret TLS Extension (TLS triple handshake)
We updated RabitMQ to 3.8.2 version. How to fix this issue/vulnerability?
Luke Bakken
Mar 6, 2020, 10:18:44 AM3/6/20
to rabbitmq-users
Hello,
RabbitMQ does not implement TLS, the Erlang VM and OpenSSL (or your operating-system specific SSL library) does.
You need to let us know the exact version of Erlang you're using, on what operating system (and version), and the version of OpenSSL on that system.
More than likely you'll have to upgrade OpenSSL and Erlang to address this, if you want to spend the effort - https://www.tripwire.com/state-of-security/security-data-protection/security-hardening/tls-extended-master-secret-extension-fixing-a-hole-in-tls/
Thanks -
Luke
RaaviKids
Mar 9, 2020, 4:32:22 PM3/9/20
to rabbitmq-users
We are using Erlang 22.2 OTP win64.
Has anyone reported this problem.
Thanks
RaaviKids
Mar 9, 2020, 11:07:36 PM3/9/20
to rabbitmq-users
This is setup on Windows server 2016. OpenSSL is not installed.
Wesley Peng
Mar 9, 2020, 11:25:44 PM3/9/20
to rabbitm...@googlegroups.com
Windows Server has a lot of other vulnerability rather than this SSL one. Isn't it? :)
regards.
Luke Bakken
Mar 10, 2020, 3:19:57 PM3/10/20
to rabbitmq-users
Hello -
Erlang on Windows is built using a statically linked OpenSSL so it is there, just not a separate library.
Since you're on the latest Erlang for Windows you can't address this TLS warning via an upgrade. You'll have to either live with it or mitigate it by using a TLS-terminating proxy.
Thanks -
Luke
Reply all
Reply to author
Forward
0 new messages