[openssl-users] DROWN (CVE-2016-0800)

Scott Neugroschl scott_n at xypro.com
Wed Mar 2 19:10:43 UTC 2016

>From the linked document:

"All client sessions are vulnerable if the target server still supports SSLv2 today, irrespective of whether the client ever supported it"

I'm trying to understand this.  I am using a custom build of OpenSSL as a client, which was configured no-ssl2 and no-ssl3.  My code is
client-only.  So I am still vulnerable to this if my customer's server is not up to date?

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Salz, Rich
Sent: Wednesday, March 02, 2016 10:22 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] DROWN (CVE-2016-0800)

Other implementations MAY be susceptible.  It's a protocol flaw.

The fix is to completely remove SSLv2.  See the blog post:  https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/

Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list