On Wed, Mar 02, 2016 at 07:10:43PM +0000, Scott Neugroschl wrote: > From the linked document: > > "All client sessions are vulnerable if the target server still supports > SSLv2 today, irrespective of whether the client ever supported it" The SSLv2 protocol need only be used between the attacker and the vulnerable server. The client can use any SSL/TLS protocol, provided that RSA key transport was used for key agreement and not DHE or ECDHE. With servers not patched since 19/Mar/2015, an MiTM attacker may be able to perform a real-time downgrade to RSA key exchange. > I'm trying to understand this. I am using a custom build of OpenSSL as > a client, which was configured no-ssl2 and no-ssl3. My code is > client-only. So I am still vulnerable to this if my customer's server is > not up to date? Yes. Sessions with vulnerable servers are vulnerable, unless the client never uses RSA key transport. If you have a dedicated application that is sure to only communicate with servers that can do forward-secret DHE/ECDHE handshakes, you can disable RSA key transport on the client side. This is not practical for most users. For example, the client-side cipherstring: DEFAULT:!kRSA:!EXPORT:!LOW is sufficient, if not generally practical. -- Viktor.
