SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

This is a DROWN-related issue that essentially circumvented the instructions on how to disable SSLv2 at the time. Its primary effect was that a lot of servers were vulnerable to DROWN even though they thought they had SSLv2 disabled. It was reported to OpenSSL and fixed in versions 1.0.2f and 1.0.1r: https://www.openssl.org/news/secadv/20160128.txt (and obviously the DROWN attack itself was reported to OpenSSL, as explained in this OpenSSL blogpost: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/ Thanks!