>From the linked document: "All client sessions are vulnerable if the target server still supports SSLv2 today, irrespective of whether the client ever supported it"
I'm trying to understand this. I am using a custom build of OpenSSL as a client, which was configured no-ssl2 and no-ssl3. My code is client-only. So I am still vulnerable to this if my customer's server is not up to date? -----Original Message----- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Salz, Rich Sent: Wednesday, March 02, 2016 10:22 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] DROWN (CVE-2016-0800) Other implementations MAY be susceptible. It's a protocol flaw. The fix is to completely remove SSLv2. See the blog post: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
