主机漏洞-SSLTLS受诫礼(BAR-MITZVAH)攻击漏洞(CVE-
2015-2808。。。
主机漏洞-RC4密码套件
验证⽅式:17
验证语句:openssl s_client -connect ⽹站地址 -cipher RC4
或者使⽤nmap进⾏测试
nmap -p 443 --script=ssl-enum-ciphers TARGET确保服务器⽀持密码类型不使⽤RC4。
如下图:
如果能够查看到证书信息,那么就是存在风险漏洞
如果显⽰sslv3 alerthandshake failure,表⽰改服务器没有这个漏洞。
修补⽅式:
服务器
对于NGINX的修补
修改nginx配置⽂件中的 ssl_ciphers项
ssl_ciphers"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-
SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-
AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-
SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-
GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-
SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
重新加载:
$sudo /etc/init.d/nginx reload
对于apache的修复
打开配置⽂件
$ sudo vi /etc/httpd/conf.f
修改配置
SSLCipherSuite
HIGH:MEDIUM:!aNULL:!MD5;!RC4
$ sudo /etc/init.d/httpd restart
对于TOMCAT的修复
SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T
tomcat例⼦:
<connector port="443"maxhttpheadersize="8192" address="127.0.0.1"enablelookups="false"
disableuploadtimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false"
SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_A
对于IIS修补
将下⾯的内容保存为,并双击运⾏来修改注册表:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES56/56]"Enabled"=
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]"Enabled"=dwor
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC240/128]"Enabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC256/128]"Enabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC464/128]"Enabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]"Ena
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2.0\Server]"Ena
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Server]"Ena
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Client]"Disa
客户端浏览器
对于chrome浏览器的修补
cve漏洞库@linux
关闭浏览器,在terminal中直接输⼊命令运⾏
$ google-chrome–cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
@windows
快捷图标->右键->在⽬标后⾯加⼊引号内的内容 “–cipher-suite-blacklist=0×0004,0×0005,0xc011,0xc007”
重启浏览器⽣效
@macos
在terminal种输⼊:
/Applications/GoogleChrome.app/Contents/MacOS/GoogleChrome--cipher-suite-
blacklist=0x0004,0x0005,0xc011,0xc007
对于firefox(全平台)
在地址栏输⼊ about:config 回车,搜索框输⼊rc4,双击 value 的值就可以改成 false并且禁⽌rc4相关的ssl传输,如下图:
对于IE(只在windows平台)
运⾏->regedit->对下⾯键值进⾏设置:
·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4128/128] "Enabled"=dword:00000000
·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]·"Enabled"=dword:00000000
·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]·"Enabled"=dword:00000000
或者将将下⾯内容保存为,然后双击运⾏进⾏注册表修改:
WindowsRegistry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4128/128]"Enable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论