Reply to post:

One-third of all HTTPS websites open to DROWN attack

Alan W. Rateliff, II
Paris Hilton

I found a few daemons in regular upkeep which do not, by normal configuration, allow you to disable protocols. You can disable the ciphers but not the protocols. So what happens is the SSLv2 handshake is permitted, thus trading certificate information, but then there are no ciphers which can be negotiated so the connection "fails." At this point the damage has been done.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021