[openssl-dev] Could someone verify my efforts of a scan for the DROWN attack?
Brian Reichert
reichert at numachi.com
Fri Apr 1 20:47:57 UTC 2016
On Fri, Apr 01, 2016 at 07:21:13PM +0200, Hubert Kario wrote:
> So, while it doesn't look like it is vulnerable to DROWN, it doesn't
> instill a lot of confidence in me...
Thanks for the review.
FWIW, this is an ancient version of webmin (1.300), using perl
v5.10.1, employing Net::SSLeay as packaged by CentOS 6.7
(perl-Net-SSLeay-1.35-9.el6.x86_64), in turn linked against
openssl-1.0.1e-42.el6_7.4.x86_64.
Under the hood, we're using these config options:
ssl_cipher_list=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
ssl_ctx_options=OP_NO_SSLv2 OP_NO_SSLv3
I'm happy with your assessment, as-is, but if there's some more
directed exploration you'd like me to do, please let me know.
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purky??ova 99/71, 612 45, Brno, Czech Republic
--
Brian Reichert <reichert at numachi.com>
BSD admin/developer at large
More information about the openssl-dev
mailing list