[openssl-users] DROWN (CVE-2016-0800)
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Mar 2 19:24:07 UTC 2016
On Wed, Mar 02, 2016 at 07:10:43PM +0000, Scott Neugroschl wrote:
> From the linked document:
>
> "All client sessions are vulnerable if the target server still supports
> SSLv2 today, irrespective of whether the client ever supported it"
The SSLv2 protocol need only be used between the attacker and the
vulnerable server. The client can use any SSL/TLS protocol, provided
that RSA key transport was used for key agreement and not DHE or
ECDHE.
With servers not patched since 19/Mar/2015, an MiTM attacker may
be able to perform a real-time downgrade to RSA key exchange.
> I'm trying to understand this. I am using a custom build of OpenSSL as
> a client, which was configured no-ssl2 and no-ssl3. My code is
> client-only. So I am still vulnerable to this if my customer's server is
> not up to date?
Yes. Sessions with vulnerable servers are vulnerable, unless the
client never uses RSA key transport. If you have a dedicated
application that is sure to only communicate with servers that can
do forward-secret DHE/ECDHE handshakes, you can disable RSA key
transport on the client side. This is not practical for most users.
For example, the client-side cipherstring:
DEFAULT:!kRSA:!EXPORT:!LOW
is sufficient, if not generally practical.
--
Viktor.
More information about the openssl-users
mailing list