2014年10月

漏洞描述:
[code]
SSLv3协议中,黑客可以通过某种手段,获取到一定长度的明文信息,Google的员工发现并命名此漏洞为POODLE
[/code]

漏洞检查:
[code]
# openssl s_client -connect *.*.*.*:443 -ssl3
[/code]
把*.*.*.*换成真实的IP,如果得到类似于如下信息,则证明不支持SSLv3,无此问题。
[code]
[root@*** ~]# openssl s_client -connect *.*.*.*:443 -ssl3
CONNECTED(00000003)
139973583345480:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139973583345480:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1414048994
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
[/code]

- 阅读剩余部分 -

Maven打包项目成单独文件,一般用maven-assembly-plugin插件,一般配置如下:
[code]
<plugin>
<artifactId>maven-assembly-plugin</artifactId>

<configuration>
<appendAssemblyId>false</appendAssemblyId>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
<descriptors>
<descriptor>src/main/assemble/package.xml</descriptor>
</descriptors>
<archive>
<manifest>
<mainClass>*.*.*.Main</mainClass>
</manifest>
</archive>
</configuration>
<executions>
<execution>
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>assembly</goal>
</goals>
</execution>
</executions>
</plugin>
[/code]

碰到Spring项目,就容易出问题:
[code]
Configuration problem: Unable to locate Spring NamespaceHandler for XML schema namespace
[/code]

- 阅读剩余部分 -