locked
How do I know if I'm using OpenSSL? RRS feed

  • Question

  • Hi,

    We are running Exchange 2007 with Outlook Web Access and I'm wondering how I can tell if I'm using OpenSSL and if so, which version.  I'm concerned about the Heartblead vulnerability and need to know if we are affected by it.  Our Exchange server was originally installed by a consultant who is no longer in business so I have no idea how he configured it.

    Thanks in advance,

    Linn

    Wednesday, April 16, 2014 1:37 PM

Answers

  • Since neither Exchange nor IIS uses OpenSSL for their SSL functionality you're not affected. In fact I don't think any Microsoft products use OpenSSL, since after all it's an open source product and their have their own SSL functionality for handling that kind of thing.

    If you want to completely put your mind at rest though, just in case the consultant was some kind of masochistic madman who liked using random 3rd party tools in place of existing built in ones, there are plenty of scanners you can use to check your OWA site, for instance https://www.ssllabs.com/ssltest/ from Qualys. Just remember to select the check box to not display the result on the boards for obvious reasons.

    • Marked as answer by lkubler Wednesday, April 16, 2014 8:31 PM
    Wednesday, April 16, 2014 6:49 PM

All replies

  • Since neither Exchange nor IIS uses OpenSSL for their SSL functionality you're not affected. In fact I don't think any Microsoft products use OpenSSL, since after all it's an open source product and their have their own SSL functionality for handling that kind of thing.

    If you want to completely put your mind at rest though, just in case the consultant was some kind of masochistic madman who liked using random 3rd party tools in place of existing built in ones, there are plenty of scanners you can use to check your OWA site, for instance https://www.ssllabs.com/ssltest/ from Qualys. Just remember to select the check box to not display the result on the boards for obvious reasons.

    • Marked as answer by lkubler Wednesday, April 16, 2014 8:31 PM
    Wednesday, April 16, 2014 6:49 PM
  • Hi Keith,

    That was the answer I was hoping for, I seriously doubt the consultant used anything out of the ordinary to configure our systems.

    Thanks much!

    Linn

    Wednesday, April 16, 2014 8:31 PM