we have wildcard certificates that are F-rated by the server test because of Drown.
Sure, the centsys-list of IPs are really outdated, but the test results state:
(4) We perform real-time key reuse checks, but stop checking after first confirmed vulnerability
The test goes through a couple of IPs from censys and then stops with the result:
|25||Yes||Yes||Vulnerable (same key with SSL v2)|
(the IP is for later).
I'm pretty sure, that no daemon of the IP is supporting SSLv2 an surely no other daemon using the same wildcard certificate (in fact, we turned SSLv2 off on all daemons in our netblocks).
In fact, tests like
openssl s_client -connect 126.96.36.199:465 -ssl2 | grep Protocol
return nothing for SSLv2.
Surely some servers do still have SSLv3 running and maybe even older ciphers, but does that count for the Drown test ?
Is there anything else we should consider and test to get rid of the "F" ?