AnsweredAssumed Answered

Wrong DROWN test is taking our complete network in discredit :(

Question asked by Jimmy Koerting on May 6, 2017
Latest reply on Aug 8, 2017 by Jimmy Koerting


we are an ISP in germany and - as your ssllabs servercheck is great in general - many customers check their servers with us with your online tool.


The problem is, that the DROWN check is wrong but grading all tests down to F.


The Problem in your DROWN Test is, that it is taking all servers with the same hostname into account. We have thousands of servers - all using a CNAME under one hostname. But only a handful of very, very old system are sharing the same key with SSLv2. More than 99,9% don't do that (not sharing the key nor offering SSLv2 at all), but rated the same, wrong way.


As this is bringing nearly all of our servers in a wrong discredit we ask you to change the way the check is done, as an complete downgrade to F is a really hard way to judge a wrong test.


In the end, you provide a great service that is well known to it's accuracy. So that way of testing and judging is absolutely fitting into this scheme.



Many thanks in advance