修复方法:
1:升级最新版本openssl,重新启动对应服务。#比如OpenSSL的1.0.1的用户应该升级到1.0.2
2:修改ssl加密算法:(nginx conf:ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;)
nginx修改为 ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
httpd修改为 SSLCipherSuite HIGH:!aNULL:!MD5:!EXPORT56:!EXP
3:重新启动对应服务。SourceByrd's Weblog-https://note.t4x.org/environment/fix-openssl-freak/
漏洞测试:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
[root@localhost ~]# openssl s_client -connect note.t4x.org:443 -cipher EXPORT CONNECTED(00000003) depth=3 C = IL, O = ### Ltd., OU = Secure Digital Certificate Signing, CN = ### Certification Authority verify return:1 depth=2 C = CN, O = ### Limited, CN = CA \E6\B2\83\###\E8\AF\81\E4\B9\A6 verify return:1 depth=1 C = CN, O = ### CA Limited, CN = CA \E6\B2\83\E9\80###\81\E4\B9\A6 verify return:1 depth=0 description = \E5\85\8D\E8\B4\B####\AF\81\E4\B9\A6 \E7\94\B3\E8\###\91\E5\9D\80\EF\BC\9Ahttps://####.com, CN = mail.####.com verify return:1 --- Certificate chain 0 s:/description=\xE5\x85\x8D\###F\x81\xE4\xB9\xA6 \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\####\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6 1 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6 i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\xB9\xE8\xAF\x81\xE4\xB9\xA6 2 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\###\xB9\xE8\xAF\x81\xE4\xB9\xA6 i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority 3 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- #######################FMm1PJLA9iewtlE9XETANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxITAfBgNV BAMMGENBIOayg+mAmuWFjei0uVNTTOivgeS5pjAeFw0xNDEyMjUwMzI5MDlaFw0x NTEyMjUwMzI5MDlaMFkxPjA8BgNVBA0MNeWFjei0uVNTTOivgeS5piDnlLPor7fn vZHlnYDvvJ####################################YDVQQDDA5tYWlsLmp1 YXN5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPjfJK6tHr7n c5LgnyyfesG+jMRm+hIHCKVl8xcToUC9xfqhXpTPBLC+0NxGdwHpHY5jsLqE+Mi8 k6VtB0XxP5t644P8j3/felLush1AQdAIHmlWvCYhA4XlnHDNiI2PxqbaJl7CsVVU 24K0r1N5w1kMsGW354SKrAAA8qXy9fRd8sl+8EUmL+51eyo+bziC0obCoHFP7+i6 FQwtZWxabxkT08kGUeaR3gjFx1Nt3HCDPKSxTTVxqH2xu5vAR77Uf1j6OavxLlco XlheTEO7GySKM2ilN8lVlrFfnCuOLJjpl2CaK7B0V6gk/Cvnl22zHomPpuqxGqnN pCGoZUFTdzcCAwEAAaOCAaUwggGhMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggr BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQULfReKHXU6/pk vPB/e+KbvHzaT90wHwYDVR0jBBgwFoAU/cOuEdflyOXUNEGqQQ0oKdwL9z4wewYI KwYBBQUHAQEEbzBtMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcDIud29zaWduLmNu ########################################Kmh0dHA6Ly9haWEyLndvc2ln bi5jbi9jYTIuc2VydmVyMS5mcmVlLmNlcjA8BgNVHR8ENTAzMDGgL6AthitodHRw Oi8vY3JsczIud29zaWduLmNuL2NhMi1zZXJ2ZXIxLWZyZWUuY3JsMBkGA1UdEQQS MBCCDm1haWwuanVhc3kuY29tMFIGA1UdIARLMEkwCAYGZ4EMAQIBMD0GDisGAQQB gptRAwECBwECMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWduLmNvbS9w ###################################Lhx97YtyFOlvC92qjVQWvZjZ7X8Ii uqbxGDKxVJt6s7ARomQ7toK35SCdfVpgXYlMS2eHNgXdL1gzjRQU4FyDskNgcZqL fruVhm2JV17yDM+Szy16MT8chh+FS3BAOESpwz0I71L7V+mgkVDmz1/sTekFGS0E #########################################pswOZF0QVr/DOaDK41OglfG Wac2V1kbLk4JwMz5BD3YRPmTHGJn04MZikilVzyoLrJpP1UCUIhewJsmV6WVW7fn ############################################### -----END CERTIFICATE----- subject=/description=\xE5\x85\x8D\xE8\xB4###### \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com issuer=/C=CN/O=#### CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\x####B4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6 --- No client certificate CA names sent --- SSL handshake has read 6799 bytes and written 199 bytes --- New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EXP-DES-CBC-SHA Session-ID: 5343####4FC455F26700B Session-ID-ctx: Master-Key: 2CCA993F6#########C6EE5A17FEA6F52D5BCA697C09A169ED59E0 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1427162168 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed |
修复后:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@localhost ~]# openssl s_client -connect note.t4x.org:443 -cipher EXPORT CONNECTED(00000003) 139642907903816:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 73 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- |
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
