验证方式:17
验证语句:openSSL s_client -connect 网站地址 -cipher RC4
或者使用nmap进行测试
nmap -p 443 –script=ssl-enum-ciphers TARGET确保服务器支持密码类型不使用RC4。
如下图:
如果能够查看到证书信息,那么就是存在风险漏洞
如果显示sslv3 alerthandshake failure,表示改服务器没有这个漏洞。
修补方式:
服务器
对于NGINX的修补
修改nginx配置文件中的 ssl_ciphers项
ssl_ciphers"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on;
重新加载:
$sudo /etc/init.d/nginx reload
对于apache的修复
打开配置文件
$ sudo vi /etc/httpd/conf.d/ssl.conf
修改配置
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5;!RC4
$ sudo /etc/init.d/httpd restart
对于TOMCAT的修复
server.xml 中SSL connector加入以下内容:
SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
tomcat例子:
<connector port="443"maxhttpheadersize="8192" address="127.0.0.1"enablelookups="false" disableuploadtimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"keystoreFile="mydomain.key"keystorePass="password"truststoreFile="mytruststore.truststore"truststorePass="password"/>;
对于IIS修补
将下面的内容保存为fix.reg,并双击运行来修改注册表:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES56/56]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNULL]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC240/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC256/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC440/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC456/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC464/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT1.0Server]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL2.0Server]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL3.0Server]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL3.0Client]"DisabledByDefault"=dword:00000001
客户端浏览器
对于chrome浏览器的修补
@linux
关闭浏览器,在terminal中直接输入命令运行
$ google-chrome–cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007 @windows
快捷图标->右键->在目标后面加入引号内的内容 “–cipher-suite-blacklist=0×0004,0×0005,0xc011,0xc007”
重启浏览器生效
@macos
在terminal种输入:
/Applications/GoogleChrome.app/Contents/MacOS/GoogleChrome--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
对于firefox(全平台)
在地址栏输入 about:config 回车,搜索框输入rc4,双击 value 的值就可以改成 false并且禁止rc4相关的ssl传输,如下图:
对于IE(只在windows平台)
参考解决办法:https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
运行->regedit->对下面键值进行设置:
·[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4128/128] "Enabled"=dword:00000000 ·[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC440/128] ·"Enabled"=dword:00000000 ·[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC456/128] ·"Enabled"=dword:00000000
或者将将下面内容保存为fix.reg,然后双击运行fix.reg进行注册表修改:
WindowsRegistry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4128/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC440/128]"Enabled"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC456/128]"Enabled"=dword:00000000
原文链接:https://www.westidc.top/archives/589
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-62778877-8261;邮箱:jenny@youkuaiyun.com。本站原创内容未经允许不得转载,或转载时需注明出处::优快云资讯门户 » 主机漏洞-SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)-RC4密码套件