368929 – SSL certificate *.kde.org is vulnerable to DROWN attack

Bug 368929 - SSL certificate *.kde.org is vulnerable to DROWN attack

Summary: SSL certificate *.kde.org is vulnerable to DROWN attack

Status:	RESOLVED FIXED

Alias:	None

Product:	www.kde.org
Classification:	Websites
Component:	general (show other bugs)
Version:	unspecified
Platform:	unspecified All

Importance:	NOR normal
Target Milestone:	---
Assignee:	kde-www mailing-list

URL:	https://www.ssllabs.com/ssltest/analy...
Keywords:

Depends on:
Blocks:

Reported:	2016-09-16 21:51 UTC by Thomas Bettler
Modified:	2016-10-17 09:28 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Bettler 2016-09-16 21:51:02 UTC

According to https://test.drownattack.com/?site=212.110.188.12 developer.kde.org provides mail services via SSLv2 using the same SSL certificate as kde.org does.

These servers reusing the same RSA keys render the SSL encryption vulnerable to the DROWN attack. https://drownattack.com/drown-attack-paper.pdf

Reproducible: Always


Actual Results:  
see https://www.ssllabs.com/ssltest/analyze.html?d=kde.org&s=91.189.93.5#drownTable

Expected Results:  
no vulnerability

Comment 1 Albert Astals Cid 2016-09-28 18:20:18 UTC

I guess you should use http://sysadmin.kde.org/tickets/ so that system administrator actually see this. I'll add some people here just in case though.

Comment 2 Ben Cooksley 2016-10-17 09:28:26 UTC

We're in the process of replacing this certificate now, so I consider this issue resolved (or soon to be resolved).