[openssl-dev] Could someone verify my efforts of a scan for the DROWN attack?
Hubert Kario
hkario at redhat.com
Mon Apr 4 11:47:03 UTC 2016
On Friday 01 April 2016 16:47:57 Brian Reichert wrote:
> On Fri, Apr 01, 2016 at 07:21:13PM +0200, Hubert Kario wrote:
> > So, while it doesn't look like it is vulnerable to DROWN, it doesn't
> > instill a lot of confidence in me...
>
> Thanks for the review.
>
> FWIW, this is an ancient version of webmin (1.300), using perl
> v5.10.1, employing Net::SSLeay as packaged by CentOS 6.7
> (perl-Net-SSLeay-1.35-9.el6.x86_64), in turn linked against
> openssl-1.0.1e-42.el6_7.4.x86_64.
>
> Under the hood, we're using these config options:
>
>
> ssl_cipher_list=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> ssl_ctx_options=OP_NO_SSLv2 OP_NO_SSLv3
>
> I'm happy with your assessment, as-is, but if there's some more
> directed exploration you'd like me to do, please let me know.
If you could prepare a minimal perl script that reproduces that
behaviour that would be ideal - I'm not fluent in Perl and I'm not
familiar with NET::SSLeay but I'd like to exclude a bug in them.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160404/238dd986/attachment.sig>
More information about the openssl-dev
mailing list