AnsweredAssumed Answered

Server incorrectly downgraded to F (DROWN attack) although not vulnerable?

Question asked by Hermann Stamm-Wilbrandt on Sep 28, 2016
Latest reply on Oct 6, 2016 by Hermann Stamm-Wilbrandt

I used SSLlabs server test for my website and the test complains that server is vulnerable to DROWN attack:

SSL Server Test: stamm-wilbrandt.de (Powered by Qualys SSL Labs) 


I contacted my web hoster and he said that he fixed all servers long ago.
And he provided proof that my website is not vulnerable:

https://pentest-tools.com/network-vulnerability-scanning/drown-ssl-scanner

IP addressHostnamePortGeneral DROWNSpecial DROWN
CVE-2016-0800CVE-2015-3197CVE-2016-0703
93.90.177.145stamm-wilbrandt.de443Not vulnerableNot vulnerableNot vulnerable

 

Is there a bug in SSLlabs server test wrt DROWN detection?

Or is pentest-tools.com wrong?

Hermann.

Outcomes