Hello Lahitapiola Security Team,
I would like to make two reports:
##Subdomain viestinta.lahitapiola.fi is vulnerable to CVE-2016-2107 :
Proof of Concept:
Fix: Upgrade openssl version on the server to latest stable version
Moreover, the cipher suites list is not in order.
Proof of Concept:
sslscan --no-fallback --no-renegotiation --no-compression --no-heartbleed viestinta.lahitapiola.fi
Testing SSL server viestinta.lahitapiola.fi on port 443
Supported Server Cipher(s):
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
##How to fix?
Replace cipher suites list on your servers with the one below:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
##Why should I trust the list above and what difference would it make to my infrastructure?
The openssl bugs are very frequent and every new release of openssl raises one or other over-hyped SSL related vulnerability creating havoc on internet. Given this scenario, it may not be able to keep on upgrading openssl (most of the time upgrading openssl requires OS/server restart) for every release, therefore, the correct approach is to reduce the attack surface.
And couple of reasons:
Most importantly, speed:
As you business model demands end users to share PII data on your infrastructure, besides security, speed has to be another important factor into consideration. You could very well see the difference on speed of SSL handshake between client and your infrastructure with the command below:
for x in {1..10}; do curl -kso /dev/null -w "tcp:%{time_connect}, ssldone:%{time_appconnect}\n" https://viestinta.lahitapiola.fi; done
Run the above bash command before and after updating cipher suites to find out the speed of SSL handshake.
PS: The cipher suite list not only applies for viestinta.lahitapiola.fi but for all your business critical infrastructure.
Regards
Akshya