[openssl-users] DROWN (CVE-2016-0800)

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Mar 2 19:38:18 UTC 2016

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Scott Neugroschl
> Sent: Wednesday, March 02, 2016 14:11
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] DROWN (CVE-2016-0800)
> From the linked document:
> "All client sessions are vulnerable if the target server still supports SSLv2
> today, irrespective of whether the client ever supported it"
> I'm trying to understand this.  I am using a custom build of OpenSSL as a
> client, which was configured no-ssl2 and no-ssl3.  My code is
> client-only.  So I am still vulnerable to this if my customer's server is not up to
> date?

*You* are not vulnerable. The *server* may be vulnerable. Sessions between your client and a vulnerable server are vulnerable.

DROWN is an attack on servers that use RSA keys and support SSLv2.

The client cannot prevent this attack - it has to be mitigated at the server end.

Michael Wojcik
Technology Specialist, Micro Focus

More information about the openssl-users mailing list