The DROWN Attack

Apache Settings - The DROWN Attack

We have not yet established contact with the Apache developers, and therefore cannot determine with confidence the effect of the following settings and/or advice. These only reflect our limited understanding.

Apache HTTP Server users: If you use an Apache HTTP server with keys that you don't share with any other services, and that server runs Apache httpd 2.4.x, you are not affected (because httpd 2.4 unconditionally disabled SSLv2). If the server runs Apache httpd 2.2.x, SSLv2 is supported by default, and you are likely to be vulnerable. You should ensure that your configuration disables SSLv2 (and preferably, SSLv3 too):

        SSLProtocol All -SSLv2 -SSLv3