On Thursday, January 29, 2015 at 1:26:52 PM UTC-5, ryandesign wrote: > > > > On Jan 28, 2015, at 9:14 AM, [email protected] <javascript:> wrote: > > > > I've been tasked with updating an old system running node.js, handing > SSL hand shakes. I was able to update the node binary (custom install), but > I don't feel as though the CVE-2014-0224 (CCS Injection) vulnerability is > actually fixed. The testing tool Breacher used to show we failed (reason > for the update) but after updating, it doesn't show a response at all. > Another tool (nmap script I believe) shows that node is disconnecting the > session immediately when trying to test. Is this the correct behavior? Will > this fix the hole and allow our site to pass the SSLLabs scan and give us > something other than an F? > > Which version of node are you now running? > > Are you using the version of openssl that ships with that version of node, > or a different version of openssl, and if the latter, which one? > > I now have v0.10.36 running on a testing environment. I believe it only uses it's statically linked SSL libs, as I'm using the binary download.
-- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/53b39169-bbf8-4657-a9e8-90ca39e61939%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
