AnsweredAssumed Answered

Drown SSLv2 testing outdated ?

Question asked by Frank Gadegast on Dec 20, 2017
Latest reply on Dec 20, 2017 by Frank Gadegast

Hello,

 

we have wildcard certificates that are F-rated by the server test because of Drown.

Sure, the centsys-list of IPs are really outdated, but the test results state:

 

(4) We perform real-time key reuse checks, but stop checking after first confirmed vulnerability

 

The test goes through a couple of IPs from censys and then stops with the result:

25YesYesVulnerable (same key with SSL v2)

(the IP is for later).

 

I'm pretty sure, that no daemon of the IP is supporting SSLv2 an surely no other daemon using the same wildcard certificate (in fact, we turned SSLv2 off on all daemons in our netblocks).

 

In fact, tests like

openssl s_client -connect 1.2.3.4:465 -ssl2 | grep Protocol

return nothing for SSLv2.

Surely some servers do still have SSLv3 running and maybe even older ciphers, but does that count for the Drown test ?

 

Is there anything else we should consider and test to get rid of the "F" ?

Outcomes