[openssl-users] DROWN (CVE-2016-0800)

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 2 19:24:07 UTC 2016

On Wed, Mar 02, 2016 at 07:10:43PM +0000, Scott Neugroschl wrote:

> From the linked document:
> "All client sessions are vulnerable if the target server still supports
> SSLv2 today, irrespective of whether the client ever supported it"

The SSLv2 protocol need only be used between the attacker and the
vulnerable server.  The client can use any SSL/TLS protocol, provided
that RSA key transport was used for key agreement and not DHE or

With servers not patched since 19/Mar/2015, an MiTM attacker may
be able to perform a real-time downgrade to RSA key exchange.

> I'm trying to understand this.  I am using a custom build of OpenSSL as
> a client, which was configured no-ssl2 and no-ssl3.  My code is
> client-only.  So I am still vulnerable to this if my customer's server is
> not up to date?

Yes.  Sessions with vulnerable servers are vulnerable, unless the
client never uses RSA key transport.  If you have a dedicated
application that is sure to only communicate with servers that can
do forward-secret DHE/ECDHE handshakes, you can disable RSA key
transport on the client side.  This is not practical for most users.

For example, the client-side cipherstring:


is sufficient, if not generally practical.


More information about the openssl-users mailing list