Drown vulnerability

General discussions and other topics.

4 posts Page 1 of 1

Drown vulnerability

by anatola2 » Thu Mar 03, 2016 3:04 pm

I use a Listman forum and according to one test, it is vulnerable to Drown.

https://test.drownattack.com/?site=sonic.net

anatola2

Posts: 28

Joined: Tue Jul 19, 2011 3:22 pm

by Guest » Thu Mar 03, 2016 4:57 pm

More importantly, ovpn.sonic.net is also allowing SSLv2. I actually migrated from beta to production and specifically told the VPN Connect client to use TLS1.2 but it failed as it wanted a lower version. Changing TLS (Default) made it work.

Guest

by kgc » Fri Mar 04, 2016 1:32 pm

None of our services should be affected since we've already patched all (potentially) affected systems. In most cases our cipher suite selection prevented the attack in the first place.

I'll double check to make sure that our OpenVPN services are not affected but I don't believe they are.

kgc

Posts: 1210

Joined: Tue Apr 05, 2011 10:34 am

Website: https://sonic.com

Kelsey Cummings
System Architect, Sonic.net, Inc.

by anatola2 » Fri Mar 04, 2016 3:23 pm

Thank you, Kelsey. The drownattack site above now gives our list server a green "appears fixed".

anatola2

Posts: 28

Joined: Tue Jul 19, 2011 3:22 pm

Post a reply