Nextcloud jail and openssl version

[zaggynl]

Hi, I have a Nextcloud jail on my FreeNAS machine, works well, exposed to internet and all.
Run the site through SSLLabs now and then to check, currently it's showing an F for the SSL test: https://www.ssllabs.com/ssltest/analyze.html?d=zaggy.nl&hideResults=on&latest
Vulnerable to CVE-2016-2107.
Same result on the site of the person who found the exploit: https://filippo.io/CVE-2016-2107/#zaggy.nl

From what I gather I need a newer openssl version?
Openssl appears to be patched in version 1.0.2_12 if I look at the ports: https://www.freshports.org/security/openssl/, server is running OpenSSL 1.0.2k, so it should be fine?
How do I upgrade my "score" and get rid of the vulnerability? Or is it a false positive?

 

[Jailer]

You'll have to install openssl and your webserver from the ports. By default the package versions are built against the base version of openssl and that's why you're getting a F score.

 

[zaggynl]

You'll have to install openssl and your webserver from the ports. By default the package versions are built against the base version of openssl and that's why you're getting a F score.

Thanks, all good now!

 

[Jailer]

Cool, thanks for the update.

 

[zoomzoom]

@zaggynl Out of curiosity, why are you using LetsEncrypt versus your own CA and certs generated by an openssl.cnf? Unless one has over fifty users, or random users, that will be accessing the server, there's no reason not to use a self signed CA and/or ICA to sign the server's cert. The only difference would be any user accessing the server would need to install the CA, or ICA - CA certs, server certs on their device(s), else they'll get browser warning.

• I have a prebuilt openssl.cnf in my signature, with all commands required in the bottom half of the config.