On Fri, Apr 01, 2016 at 07:21:13PM +0200, Hubert Kario wrote: > So, while it doesn't look like it is vulnerable to DROWN, it doesn't > instill a lot of confidence in me...
Thanks for the review. FWIW, this is an ancient version of webmin (1.300), using perl v5.10.1, employing Net::SSLeay as packaged by CentOS 6.7 (perl-Net-SSLeay-1.35-9.el6.x86_64), in turn linked against openssl-1.0.1e-42.el6_7.4.x86_64. Under the hood, we're using these config options: ssl_cipher_list=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM ssl_ctx_options=OP_NO_SSLv2 OP_NO_SSLv3 I'm happy with your assessment, as-is, but if there's some more directed exploration you'd like me to do, please let me know. > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purky??ova 99/71, 612 45, Brno, Czech Republic -- Brian Reichert <[email protected]> BSD admin/developer at large -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
