OpenSSL Information for VU#583776
Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 02 Mar 2016
No statement is currently available from the vendor regarding this vulnerability.
OpenSSL 1.0.2g and 1.0.1s have been released to address this vulnerability. Please see OpenSSL's security advisory at the URL below.
A 3rd-party tool http://testssl.sh/ is available to check for security issues, including this one.
Another option for network administrators to determine if a server supports SSLv2 is to use the following command:
openssl s_client -connect host:443 -ssl2
If certificate information is returned, then SSLv2 is supported. It has been reported that this command may not work on Ubuntu or Debian systems.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.