On Friday 01 April 2016 16:47:57 Brian Reichert wrote: > On Fri, Apr 01, 2016 at 07:21:13PM +0200, Hubert Kario wrote: > > So, while it doesn't look like it is vulnerable to DROWN, it doesn't > > instill a lot of confidence in me... > > Thanks for the review. > > FWIW, this is an ancient version of webmin (1.300), using perl > v5.10.1, employing Net::SSLeay as packaged by CentOS 6.7 > (perl-Net-SSLeay-1.35-9.el6.x86_64), in turn linked against > openssl-1.0.1e-42.el6_7.4.x86_64. > > Under the hood, we're using these config options: > > > ssl_cipher_list=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > ssl_ctx_options=OP_NO_SSLv2 OP_NO_SSLv3 > > I'm happy with your assessment, as-is, but if there's some more > directed exploration you'd like me to do, please let me know.
If you could prepare a minimal perl script that reproduces that behaviour that would be ideal - I'm not fluent in Perl and I'm not familiar with NET::SSLeay but I'd like to exclude a bug in them. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
