> am [I] still vulnerable to this if my customer's server is not up to date? Yes, maybe. If you use SSL3/TLS without PFS ciphers, then someone who has captured the traffic can send SSLv2 messages to the server and decrypt your traffic.