Mailing List CGatePro@mail.stalker.com Message #107014
From: Nicolas Hatier nicolas.hatier@niversoft.com <CGatePro@mail.stalker.com>
Subject: Re: Securing against DROWN SSLv2 attacks?
Date: Fri, 23 Nov 2018 19:04:22 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Quoting tech support in a related discussion:

« Also a general note on SSL/TLS "analyzers": many of those do not implement deep tests but look for specific behavior known for wide-spread implementations and when see one may flag the implementation as vulnerable, though it may be not true. And the rating system they use is good for their marketing but not for the actual security of your servers. No reports for actual MITM attacks on encrypted connections (those are really really hard to set up) but weak passwords, fake login pages and other leaks come dozens a day.  »
NH

On 2018-11-23 16:32, Mark Strawcutter mjstraw@iup.edu wrote:
Because CGP doesn't use any of the more common SSL packages, test sites will often return false positives.

CGP tech support will likely tell you if this is the case here.  I wouldn't be too concerned right now.

Mark

------ Original message------
From: Jeff Porten jporten@cni.org
Date: Fri, Nov 23, 2018 4:10 PM
To: CommuniGate Pro Discussions;
Cc:
Subject:Securing against DROWN SSLv2 attacks?

Just received an email from The Boss saying that he tested our CGP server against the tests at SSL Labs, and we came back as failing the DROWN attack against SSLv2. (When using the same certificate for both SSLv2 and TLS, the weaknesses in SSLv2 can expose private key data that can then decrypt a later TLS session.) This puts some egg on my face as this attack is 2.5 years old.

I’ve just searched the list and found no data on this, except a mention of DROWN in an unrelated discussion the week after it was public. I sort of vaguely recall that somewhere in CGP is a list of security protocols that we can turn on and off, but I may be misremembering the Init SSL/TLS setting (on/off) on port listeners.

What are we supposed to do about this?

Thanks,
Jeff Porten


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster