Assuming, as it should be the case since the protocol is deprecated as from 2011, that SSLv2 is not allowed in your server, apply all OpenSSL patches up to and including that of March 1st. BTW, this is an excellent example of why state-sponsored backdoors should _never_ be introduced in sofware or protocols, whatever the excuse. Please note also that the flawed (NSA infected?)[1] PKCS#1v1.5 standard is at the very core of DNSSEC,[2] the politicaly heavy-loadel protocol that's being used to turn Internet into a hierarchical network. Regards from the Far South, Enrique [1] Considering Dual_EC_DRBG and the whole Juniper affair, this is completely possible. [2] See RFC 5702, section 3. Bleichenbacher's attack against PKCS#1v1.5 is known since 1998