> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Scott Neugroschl > Sent: Wednesday, March 02, 2016 14:11 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] DROWN (CVE-2016-0800) > > From the linked document: > > "All client sessions are vulnerable if the target server still supports SSLv2 > today, irrespective of whether the client ever supported it" > > I'm trying to understand this. I am using a custom build of OpenSSL as a > client, which was configured no-ssl2 and no-ssl3. My code is > client-only. So I am still vulnerable to this if my customer's server is not up to > date? *You* are not vulnerable. The *server* may be vulnerable. Sessions between your client and a vulnerable server are vulnerable. DROWN is an attack on servers that use RSA keys and support SSLv2. The client cannot prevent this attack - it has to be mitigated at the server end. -- Michael Wojcik Technology Specialist, Micro Focus
