Mailing List CGatePro@mail.stalker.com Message #107012
From: Jeff Porten jporten@cni.org <CGatePro@mail.stalker.com>
Subject: Securing against DROWN SSLv2 attacks?
Date: Fri, 23 Nov 2018 16:08:42 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.3445.9.1)
Just received an email from The Boss saying that he tested our CGP server against the tests at SSL Labs, and we came back as failing the DROWN attack against SSLv2. (When using the same certificate for both SSLv2 and TLS, the weaknesses in SSLv2 can expose private key data that can then decrypt a later TLS session.) This puts some egg on my face as this attack is 2.5 years old.

I’ve just searched the list and found no data on this, except a mention of DROWN in an unrelated discussion the week after it was public. I sort of vaguely recall that somewhere in CGP is a list of security protocols that we can turn on and off, but I may be misremembering the Init SSL/TLS setting (on/off) on port listeners.

What are we supposed to do about this?

Thanks,
Jeff Porten

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster