- 问题描述
SSL/TLS协议信息泄露漏洞(CVE-2016-2183)TLS是安全传输层协议,用于在两个通信应用程序之间提供保密性和数据完整性。
TLS, SSH, IPSec协商及其他产品中使用的DES及Triple DES密码存在大约四十亿块的生日界,这可使远程攻击者通过Sweet32攻击,获取纯文本数据。
2.问题解决过程
首先从这个漏洞介绍中得知
OpenSSL 1.1.0 以后没有此漏洞,并且本地的openssl 版本高于1.1.0
换个思路去找问题
通过下面链接了解nmap 扫描工具可以知道漏洞的来源(复测)
nmap安装方式请另行百度(案例的服务器是redhat,去官网下载的rpm包,rpm -ivh 包就安装成功了)
通过下面的命令得到结果
nmap -sV --script ssl-enum-ciphers -p 443 www.example.com (ip 也可以)
D:\Nmap>nmap -sV --script ssl-enum-ciphers -p 443 222.**.***.215
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-29 11:06 ?D1ú±ê×?ê±??
Nmap scan report for 222.**.***.215
Host is up (0.0060s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
|_http-server-header: nginx
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 22.23 seconds
发现3DES 加密是C级别的,并且有个warning 跟 CVE-2016-2183 的描述大概一致
#Nginx 配置文件 /etc/nginx/nginx.conf
server {
listen 443 ssl;
server_name www.xlsys.cn;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/nginx/ssl_cert/lsms.189ms.com/5974727.pem;
ssl_certificate_key /etc/nginx/ssl_cert/lsms.189ms.com/5974727.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!ECDHE+3DES:!MD5:!ADH:!RC4;
#修复漏洞关键就是这个.注: !3DES是后添加的过滤
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
之后nginx -t 检查配置文件
nginx -s reload 重启nginx
4.复测-扫描
nmap -sV --script ssl-enum-ciphers -p 443 www.example.com (ip 也可以)
微信扫描下方的二维码阅读本文