AnsweredAssumed Answered

SSL Server test "DROWN" vulnerability incorrect

Question asked by Jon Pertwee on Apr 19, 2017
Latest reply on Apr 20, 2017 by Jon Pertwee

I have tested my server yyy.xxxx.com using the SSL Server test. (Sorry, decided to obscure the URL to protect my systems if they're still vulnerable)

 

The first time I did this, I got an "F".

 

I have since shut down SSLv2 (and 3) on that server (Your test confirms this) and replaced the certificate, but I still get the error "Vulnerable (same hostname with SSL v2)" pointing at the same host IP as the one I'm testing on Port 143. This is an email server and IMAP, port 143 is open, but 143 is cleartext and not encrypted, 993 is Secure IMAP, so I really don't understand this test? Anyways, this still leads to an "F" based on the previous vulnerability.

 

I understand DROWN attack and how getting the private key through SSL2 can leave systems vulnerable even if they are not using SSL2 any more, but this is why we changed the certificate.

 

What's going on and why am I still getting this issue please? How can I resolve?

Outcomes