首页 > 工作 > SSLv3的POODLE漏洞处理

SSLv3的POODLE漏洞处理

漏洞描述:

SSLv3协议中,黑客可以通过某种手段,获取到一定长度的明文信息,Google的员工发现并命名此漏洞为POODLE

漏洞检查:

# openssl s_client -connect *.*.*.*:443 -ssl3

把*.*.*.*换成真实的IP,如果得到类似于如下信息,则证明不支持SSLv3,无此问题。

[root@*** ~]# openssl s_client -connect *.*.*.*:443 -ssl3
CONNECTED(00000003)
139973583345480:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139973583345480:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1414048994
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

如果得到类似于如下的信息,则说明支持SSLv3,有漏洞。

[root@*** ~]# openssl s_client -connect *.*.*.*:443 -ssl3
CONNECTED(00000003)
depth=0 C = CN, ST = BJ, L = BJ, O = XXOO Inc., OU = XXOO, CN = **.com, emailAddress = **@**.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = BJ, L = BJ, O = XXOO Inc., OU = XXOO, CN = **.com, emailAddress = **@**.com
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=BJ/L=BJ/O=XXOO./OU=XXOO/CN=**.com/emailAddress=**@**.com
   i:/C=CN/ST=BJ/L=BJ/O=XXOO./OU=XXOO/CN=**.com/emailAddress=**@**.com
---
Server certificate
-----BEGIN CERTIFICATE-----
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
-----END CERTIFICATE-----
subject=/C=CN/ST=BJ/L=BJ/O=XXOO./OU=XXOO/CN=**.com/emailAddress=**@**.com
issuer=/C=CN/ST=BJ/L=BJ/O=XXOO./OU=XXOO/CN=**.com/emailAddress=**@**.com
---
No client certificate CA names sent
---
SSL handshake has read 1258 bytes and written 382 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: *******************************************
    Session-ID-ctx: 
    Master-Key: *********************************************************
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1414048895
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

漏洞处理:
我只说nginx上这个漏洞怎么处理,nginx1.0之前的版本和之后的版本配置不太一样。
nginx1.0之前,在SSL的配置调整如下:

ssl_protocols TLSv1;

nginx1.0之后,可以配置的更完整:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

理论上这两个配置是一样的,建议优先用第二个配置,用-t检查不支持TLSv1.1时,再改用上面简单的配置方法。

分类: 工作 标签: , ,
  1. 本文目前尚无任何评论.