CSR and private key generated twice but still prone to drown attack

Asked Feb 16 '17 at 09:46

Active Feb 16 '17 at 09:46

Viewed 82 times

we generated the CSR and private key
Installed SSL cert and was Graded F as our server was prone to DROWN attack. Somehow the private key was the same as another key of an existing server that has SSLV2

We generated another CSR with another private key, got the new cert and still face the same issue.

What is causing the problem?

asked Feb 16 '17 at 09:46

Serai

Who is doing this grading -- SSLLabs? I don't think they compare to any other server, and only look at yours. Note if you tried to configure this using only cipher settings in OpenSSL not protocols directly there was a bug that _did_ enable SSLv2 when it shouldn't, see https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details and https://www.openssl.org/news/secadv/20160301.txt – dave_thompson_085 Feb 16 '17 at 10:30
we are using globalsign OrganizationSSL. The grading is done by globalsign: we key in our domain name in the url provided by global sign – Serai Feb 16 '17 at 11:08
I haven't used any GlobalSign test; can you point me to documentation? – dave_thompson_085 Feb 17 '17 at 04:32
https://globalsign.ssllabs.com/analyze.html – Serai Feb 19 '17 at 13:17
Okay, that's actually SSLLabs just with a GlobalSign logo tacked on. On rereading more carefully I see SSLLabs _does_ use Censys data to (try to) find other servers; can you add to your Q exactly what the report says in the DROWN entry? – dave_thompson_085 Feb 21 '17 at 08:36

0 Answers0