主机漏洞-SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)-RC4密码套件

  • A+
所属分类:安全

主机漏洞-RC4密码套件

验证方式:17

验证语句:openssl s_client -connect 网站地址 -cipher RC4

或者使用nmap进行测试

nmap -p 443 --script=ssl-enum-ciphers TARGET确保服务器支持密码类型不使用RC4。

如下图:

主机漏洞-SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)-RC4密码套件

如果能够查看到证书信息,那么就是存在风险漏洞

如果显示sslv3 alerthandshake failure,表示改服务器没有这个漏洞。

修补方式:

服务器

对于NGINX的修补

修改nginx配置文件中的 ssl_ciphers项

ssl_ciphers"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

 

重新加载:

$sudo /etc/init.d/nginx reload

对于apache的修复

打开配置文件

$ sudo vi /etc/httpd/conf.d/ssl.conf

修改配置

SSLCipherSuite

HIGH:MEDIUM:!aNULL:!MD5;!RC4

 

$ sudo /etc/init.d/httpd restart

对于TOMCAT的修复

server.xml 中SSL connector加入以下内容:

SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

 

tomcat例子:

<connector port="443"maxhttpheadersize="8192" address="127.0.0.1"enablelookups="false" disableuploadtimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"keystoreFile="mydomain.key"keystorePass="password"truststoreFile="mytruststore.truststore"truststorePass="password"/>;

 

 

对于IIS修补

将下面的内容保存为fix.reg,并双击运行来修改注册表:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES56/56]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC240/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC256/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC464/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Client]"DisabledByDefault"=dword:00000001

 

客户端浏览器

对于chrome浏览器的修补

@linux

关闭浏览器,在terminal中直接输入命令运行

$ google-chrome–cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

@windows

快捷图标->右键->在目标后面加入引号内的内容 “–cipher-suite-blacklist=0×0004,0×0005,0xc011,0xc007”

重启浏览器生效

@macos

在terminal种输入:

/Applications/GoogleChrome.app/Contents/MacOS/GoogleChrome--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

对于firefox(全平台)

在地址栏输入 about:config 回车,搜索框输入rc4,双击 value 的值就可以改成 false并且禁止rc4相关的ssl传输,如下图:

主机漏洞-SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)-RC4密码套件

对于IE(只在windows平台)

参考解决办法:https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

运行->regedit->对下面键值进行设置:

·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4128/128]

"Enabled"=dword:00000000

·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]

·"Enabled"=dword:00000000

·[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]

·"Enabled"=dword:00000000

或者将将下面内容保存为fix.reg,然后双击运行fix.reg进行注册表修改:

WindowsRegistry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4128/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled"=dword:00000000

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: