[openssl-users] DROWN (CVE-2016-0800)

Salz, Rich rsalz at akamai.com
Wed Mar 2 20:38:30 UTC 2016

> am [I] still vulnerable to this if my customer's server is not up to date?

Yes, maybe.

If you use SSL3/TLS without PFS ciphers, then someone who has captured the traffic can send SSLv2 messages to the server and decrypt your traffic.

More information about the openssl-users mailing list