本文主要是介绍主机漏洞-SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)【原理扫描】-RC4密码套件,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
主机漏洞-RC4密码套件
验证方式:17
验证语句:openssl s_client -connect 网站地址 -cipher RC4
或者使用nmap进行测试
nmap -p 443 --script=ssl-enum-ciphers TARGET确保服务器支持密码类型不使用RC4。
如下图:
如果能够查看到证书信息,那么就是存在风险漏洞
如果显示sslv3 alerthandshake failure,表示改服务器没有这个漏洞。
修补方式:
服务器
对于NGINX的修补
修改nginx配置文件中的 ssl_ciphers项
ssl_ciphers"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
重新加载:
$sudo /etc/init.d/nginx reload
对于apache的修复
打开配置文件
$ sudo vi /etc/httpd/conf.d/ssl.conf
修改配置
SSLCipherSuite
HIGH:MEDIUM:!aNULL:!MD5;!RC4
$ sudo /etc/init.d/httpd restart
对于TOMCAT的修复
server.xml 中SSL connector加入以下内容:
SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
tomcat例子:
<connector port="443"maxhttpheadersize="8192" address="127.0.0.1"enablelookups="false" disableuploadtimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"keystoreFile="mydomain.key"keystorePass="password"truststoreFile="mytruststore.truststore"truststorePass="password"/>;
对于IIS修补
将下面的内容保存为fix.reg,并双击运行来修改注册表:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES56/56]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC240/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC256/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC464/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2.0\Server]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Server]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Client]"DisabledByDefault"=dword:00000001
客户端浏览器
对于chrome浏览器的修补
@linux
关闭浏览器,在terminal中直接输入命令运行
$ google-chrome–cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
@windows
快捷图标->右键->在目标后面加入引号内的内容 “–cipher-suite-blacklist=0×0004,0×0005,0xc011,0xc007”
重启浏览器生效
@macos
在terminal种输入:
/Applications/GoogleChrome.app/Contents/MacOS/GoogleChrome--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
对于firefox(全平台)
在地址栏输入 about:config 回车,搜索框输入rc4,双击 value 的值就可以改成 false并且禁止rc4相关的ssl传输,如下图:
对于IE(只在windows平台)
参考解决办法:https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
运行->regedit->对下面键值进行设置:
·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4128/128]
"Enabled"=dword:00000000
·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]
·"Enabled"=dword:00000000
·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]
·"Enabled"=dword:00000000
或者将将下面内容保存为fix.reg,然后双击运行fix.reg进行注册表修改:
WindowsRegistry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4128/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled"=dword:00000000
这篇关于主机漏洞-SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)【原理扫描】-RC4密码套件的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!