A new flaw has been found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could theoretically exploit this vulnerability to bypass RSA encryption, even when connecting via a newer protocol version, if the server also supports the older SSLv2 standard.
As a result of several similar but unrelated vulnerabilities, including POODLE, most server administrators already have removed support for SSLv2 and other weak ciphers. For instance, cPanel removed SSLv2 support on core services by default beginning with version 11.44 in 2014.
Servers running older, End-of-Life operating systems may still support SSLv2.
Test: Does Your Server Support SSLv2?
To test whether your web server supports SSLv2, you can run this command from a terminal on a Linux or Mac OS X, substituting your domain name for the example below:
openssl s_client -connect www.yourdomainname.com:443 -ssl2
If the server is not vulnerable, the output of that command should include “ssl handshake failed” as seen in the example below. Note that your output will be different, but as long as you see ssl handshake failed somewhere in the output, you’re protected:
[root@host]# openssl s_client -connect www.yourdomainname.com:443 -ssl2
95090:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s2_pkt.c:427:
You can test SSLv2 support on other services by substituting the secure http port (443 in the command above), with the appropriate port for the service you’re testing (note that these are the default ports; if you’ve changed the port a service runs on, you’ll want to use that value):
- WHM: 2087
- cPanel: 2083
- Secure SMTP (Exim): 465
- Secure IMAP: 993
- Secure POP3: 995
- Secure Webmail: 2096
- Secure WebDisk: 2078
If you’re using a different operating system or are otherwise unable to check the server directly, you also may visit a test site such as drownattack.com and enter your site’s URL into the test field.