Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Change in the newest OpenSSL version


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 2 - Last Post: Feb 4, 2016 2:41 AM Last Post By: Magnus Oskarsson
Magnus Oskarsson

Posts: 55
Registered: 9/14/09
Change in the newest OpenSSL version  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 2, 2016 2:43 AM
FYI: I tried with the new 1.0.2f version of OpenSSL in one of our IntraWeb (14) applications on one of our test servers. When I run the SSL Labs test before and after the upgrade (from 1.0.2e), I noticed that you with 1.0.2.f get a new information bar "This site works only in browsers with SNI support." which I have never seen before (and you don't get it with 1.0.2e). If you look under "Handshake simulation", you see a "Incorrect certificate because this client doesn't support SNI" message for Android 2.3.7 and IE 8 / XP. I tested IE 7 and 8 via BrowserStack, and our web application still looks to work with them, and the same for an Android 2.3 device, so is this an incorrect "warning" from the SSL Labs test or not? If you have any experience or knowledge on the subject, please share it here. (A note: many of our customers are large companies with VERY conservative IT policies, so unfortunately we are not yet in a position where we can state that these browsers are no longer supported).

Best regards

Magnus Oskarsson
Alexandre Machado

Posts: 1,754
Registered: 8/10/13
Re: Change in the newest OpenSSL version  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 4, 2016 1:33 AM   in response to: Magnus Oskarsson in response to: Magnus Oskarsson
Magnus Oskarsson wrote:
FYI: I tried with the new 1.0.2f version of OpenSSL in one of our IntraWeb (14) applications on one of our test servers. When I run the SSL Labs test before and after the upgrade (from 1.0.2e), I noticed that you with 1.0.2.f get a new information bar "This site works only in browsers with SNI support." which I have never seen before (and you don't get it with 1.0.2e). If you look under "Handshake simulation", you see a "Incorrect certificate because this client doesn't support SNI" message for Android 2.3.7 and IE 8 / XP. I tested IE 7 and 8 via BrowserStack, and our web application still looks to work with them, and the same for an Android 2.3 device, so is this an incorrect "warning" from the SSL Labs test or not? If you have any experience or knowledge on the subject, please share it here. (A note: many of our customers are large companies with VERY conservative IT policies, so unfortunately we are not yet in a position where we can state that these browsers are no longer supported).

Best regards

Magnus Oskarsson

Hi Magnus,

thanks for sharing this information. I've seen that the new OpenSSL version 1.0.2f fixed several security issues, but I still didn't test it under SSL Labs. I should do it within a couple of days. Although is always preferable to use the latest version, I don't see why can't you still the previous version if your clients are using older browsers. LOTS of people around the world are still using older IE 9, 8 and 7 as well! Believe me!

Kind regards
Magnus Oskarsson

Posts: 55
Registered: 9/14/09
Re: Change in the newest OpenSSL version  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 4, 2016 2:41 AM   in response to: Alexandre Machado in response to: Alexandre Machado
Alexandre Machado wrote:

Hi Magnus,

thanks for sharing this information. I've seen that the new OpenSSL version 1.0.2f fixed several security issues, but I still didn't test it under SSL Labs. I should do it within a couple of days. Although is always preferable to use the latest version, I don't see why can't you still the previous version if your clients are using older browsers. LOTS of people around the world are still using older IE 9, 8 and 7 as well! Believe me!
Hi Alexandre and thanks for your reply! I am beginning to think this was a fluke in the SSL Labs test, I no longer get the SNI-related "warning" when I re-run it on 1.0.2f, and as mentioned the web application seems to work as before with IE7-9 and Android 2.3. I have posted a similar question in the Qualys discussion forum, I will share it here if I get some info of interest there. Otherwise we will probably keep 1.0.2f running in our test environment for a little while longer, and when we think we have tested it sufficiently, we will apply it to our production servers as well.

/Magnus
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02