I have tested a few UCS with the standard self-produced cert using:
openssl s_client -connect your.UCS.TLD:443 -cipher EXPORT
And it seems like the “RSA-to-EXPORT_RSA downgrade” is possible even with the latest UCS PL 4.0-1. I know the impact is limited, given by the complexity needed for a successful attack. Still, I think the “EXPORT”-grade keys should be disabled asap.
Is this possible with a simple patch for UCS, or do we have to re-issue the certificate?