How to Fix DROWN Vulnerability in Apache/NGINX Web server and SMTP?

Updated on September 2, 2017

Here’s a latest vulnerability called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) that aims to attack servers using weak SSL version 2.0 (SSLv2) protocol for HTTPs, SMTP, IMAP, POP etc…Basically any service that uses SSL/TLS is subject to be vulnerable over SSLv2 . DROWN allows an attacker to decrypt communication (by obtaining the private key) encrypted using RSA based SSL certificate, if enough SSLv2 handshake data can be collected. The DROWN can directly affect servers using weak SSLv2 protocol, however, it requires approximately 1000 SSL handshakes to be intercepted.

How to test your server against DROWN vulnerability?

Quickly jump to this link to test your server against DROWN vulnerability attack.

Here’s a web interface, where you can type in your website address and click “Check for DROWN vulnerability” button.

fix drown in https, smtp

How to Fix DROWN vulnerability in Apache and Nginx web servers?

In Apache:

$ sudo vim /etc/httpd/conf/httpd.conf

(or)

$ sudo vim /etc/httpd/conf.d/ssl.conf

and add -SSLv2 and -SSLv3 as shown below:

SSLProtocol all -SSLv2 -SSLv3

Note: The above setting recommends to disable both SSLv2 and SSLv3. Although SSLv3 is not vulnerable to DROWN attack, it’s highly recommended to disable SSLv3 as it’s vulnerable to other kinds of attack.

Restart the web server:

$ sudo /etc/init.d/httpd restart

In Nginx:

$ sudo vim /etc/nginx/nginx.conf

Lookout for the below line:

ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;

and remove SSLv2 and SSLv3 as shown below:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart the Nginx service.

How to Fix DOWN vulnerability in SMTP – Postfix?

$ sudo vim /etc/postfix/master.cf

and set the following lines. Here, the (!) removes SSLv2 and SSLv3 protocols.

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

Note: Remember to do this change in every service that uses SSL.

Also update OpenSSL to the latest version:

# yum update openssl*

Was this article helpful?

Related Articles

Leave a Comment