修复Openssl FREAK(CVE-2015-0204)漏洞

发表评论
2,729

A+

修复方法：

1:升级最新版本openssl，重新启动对应服务。#比如OpenSSL的1.0.1的用户应该升级到1.0.2
2：修改ssl加密算法：(nginx conf:ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;)
nginx修改为 ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
httpd修改为 SSLCipherSuite HIGH:!aNULL:!MD5:!EXPORT56:!EXP
3：重新启动对应服务。

漏洞测试：

[root@localhost ~]# openssl s_client -connect www.t4x.org:443 -cipher EXPORT   
CONNECTED(00000003)
depth=3 C = IL, O = ### Ltd., OU = Secure Digital Certificate Signing, CN = ### Certification Authority
verify return:1
depth=2 C = CN, O = ### Limited, CN = CA \E6\B2\83\###\E8\AF\81\E4\B9\A6
verify return:1
depth=1 C = CN, O = ### CA Limited, CN = CA \E6\B2\83\E9\80###\81\E4\B9\A6
verify return:1
depth=0 description = \E5\85\8D\E8\B4\B####\AF\81\E4\B9\A6 \E7\94\B3\E8\###\91\E5\9D\80\EF\BC\9Ahttps://####.com, CN = mail.####.com
verify return:1
---
Certificate chain
 0 s:/description=\xE5\x85\x8D\###F\x81\xE4\xB9\xA6 \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com
   i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\####\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6
 1 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6
   i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\xB9\xE8\xAF\x81\xE4\xB9\xA6
 2 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\###\xB9\xE8\xAF\x81\xE4\xB9\xA6
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority
 3 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
#######################FMm1PJLA9iewtlE9XETANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxITAfBgNV
BAMMGENBIOayg+mAmuWFjei0uVNTTOivgeS5pjAeFw0xNDEyMjUwMzI5MDlaFw0x
NTEyMjUwMzI5MDlaMFkxPjA8BgNVBA0MNeWFjei0uVNTTOivgeS5piDnlLPor7fn
vZHlnYDvvJ####################################YDVQQDDA5tYWlsLmp1
YXN5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPjfJK6tHr7n
c5LgnyyfesG+jMRm+hIHCKVl8xcToUC9xfqhXpTPBLC+0NxGdwHpHY5jsLqE+Mi8
k6VtB0XxP5t644P8j3/felLush1AQdAIHmlWvCYhA4XlnHDNiI2PxqbaJl7CsVVU
24K0r1N5w1kMsGW354SKrAAA8qXy9fRd8sl+8EUmL+51eyo+bziC0obCoHFP7+i6
FQwtZWxabxkT08kGUeaR3gjFx1Nt3HCDPKSxTTVxqH2xu5vAR77Uf1j6OavxLlco
XlheTEO7GySKM2ilN8lVlrFfnCuOLJjpl2CaK7B0V6gk/Cvnl22zHomPpuqxGqnN
pCGoZUFTdzcCAwEAAaOCAaUwggGhMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggr
BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQULfReKHXU6/pk
vPB/e+KbvHzaT90wHwYDVR0jBBgwFoAU/cOuEdflyOXUNEGqQQ0oKdwL9z4wewYI
KwYBBQUHAQEEbzBtMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcDIud29zaWduLmNu
########################################Kmh0dHA6Ly9haWEyLndvc2ln
bi5jbi9jYTIuc2VydmVyMS5mcmVlLmNlcjA8BgNVHR8ENTAzMDGgL6AthitodHRw
Oi8vY3JsczIud29zaWduLmNuL2NhMi1zZXJ2ZXIxLWZyZWUuY3JsMBkGA1UdEQQS
MBCCDm1haWwuanVhc3kuY29tMFIGA1UdIARLMEkwCAYGZ4EMAQIBMD0GDisGAQQB
gptRAwECBwECMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWduLmNvbS9w
###################################Lhx97YtyFOlvC92qjVQWvZjZ7X8Ii
uqbxGDKxVJt6s7ARomQ7toK35SCdfVpgXYlMS2eHNgXdL1gzjRQU4FyDskNgcZqL
fruVhm2JV17yDM+Szy16MT8chh+FS3BAOESpwz0I71L7V+mgkVDmz1/sTekFGS0E
#########################################pswOZF0QVr/DOaDK41OglfG
Wac2V1kbLk4JwMz5BD3YRPmTHGJn04MZikilVzyoLrJpP1UCUIhewJsmV6WVW7fn
###############################################
-----END CERTIFICATE-----
subject=/description=\xE5\x85\x8D\xE8\xB4###### \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com
issuer=/C=CN/O=#### CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\x####B4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6
---
No client certificate CA names sent
---
SSL handshake has read 6799 bytes and written 199 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EXP-DES-CBC-SHA
    Session-ID: 5343####4FC455F26700B
    Session-ID-ctx: 
    Master-Key: 2CCA993F6#########C6EE5A17FEA6F52D5BCA697C09A169ED59E0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1427162168
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

[root@localhost ~]# openssl s_client -connect www.t4x.org:443 -cipher EXPORT

CONNECTED(00000003)

depth=3 C = IL, O = ### Ltd., OU = Secure Digital Certificate Signing, CN = ### Certification Authority

verify return:1

depth=2 C = CN, O = ### Limited, CN = CA \E6\B2\83\###\E8\AF\81\E4\B9\A6

verify return:1

depth=1 C = CN, O = ### CA Limited, CN = CA \E6\B2\83\E9\80###\81\E4\B9\A6

verify return:1

depth=0 description = \E5\85\8D\E8\B4\B####\AF\81\E4\B9\A6 \E7\94\B3\E8\###\91\E5\9D\80\EF\BC\9Ahttps://####.com, CN = mail.####.com

verify return:1

---

Certificate chain

0 s:/description=\xE5\x85\x8D\###F\x81\xE4\xB9\xA6 \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com

i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\####\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6

1 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6

i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\xB9\xE8\xAF\x81\xE4\xB9\xA6

2 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\###\xB9\xE8\xAF\x81\xE4\xB9\xA6

i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority

3 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority

i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

#######################FMm1PJLA9iewtlE9XETANBgkqhkiG9w0BAQUFADBM

MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxITAfBgNV

BAMMGENBIOayg+mAmuWFjei0uVNTTOivgeS5pjAeFw0xNDEyMjUwMzI5MDlaFw0x

NTEyMjUwMzI5MDlaMFkxPjA8BgNVBA0MNeWFjei0uVNTTOivgeS5piDnlLPor7fn

vZHlnYDvvJ####################################YDVQQDDA5tYWlsLmp1

YXN5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPjfJK6tHr7n

c5LgnyyfesG+jMRm+hIHCKVl8xcToUC9xfqhXpTPBLC+0NxGdwHpHY5jsLqE+Mi8

k6VtB0XxP5t644P8j3/felLush1AQdAIHmlWvCYhA4XlnHDNiI2PxqbaJl7CsVVU

24K0r1N5w1kMsGW354SKrAAA8qXy9fRd8sl+8EUmL+51eyo+bziC0obCoHFP7+i6

FQwtZWxabxkT08kGUeaR3gjFx1Nt3HCDPKSxTTVxqH2xu5vAR77Uf1j6OavxLlco

XlheTEO7GySKM2ilN8lVlrFfnCuOLJjpl2CaK7B0V6gk/Cvnl22zHomPpuqxGqnN

pCGoZUFTdzcCAwEAAaOCAaUwggGhMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggr

BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQULfReKHXU6/pk

vPB/e+KbvHzaT90wHwYDVR0jBBgwFoAU/cOuEdflyOXUNEGqQQ0oKdwL9z4wewYI

KwYBBQUHAQEEbzBtMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcDIud29zaWduLmNu

########################################Kmh0dHA6Ly9haWEyLndvc2ln

bi5jbi9jYTIuc2VydmVyMS5mcmVlLmNlcjA8BgNVHR8ENTAzMDGgL6AthitodHRw

Oi8vY3JsczIud29zaWduLmNuL2NhMi1zZXJ2ZXIxLWZyZWUuY3JsMBkGA1UdEQQS

MBCCDm1haWwuanVhc3kuY29tMFIGA1UdIARLMEkwCAYGZ4EMAQIBMD0GDisGAQQB

gptRAwECBwECMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWduLmNvbS9w

###################################Lhx97YtyFOlvC92qjVQWvZjZ7X8Ii

uqbxGDKxVJt6s7ARomQ7toK35SCdfVpgXYlMS2eHNgXdL1gzjRQU4FyDskNgcZqL

fruVhm2JV17yDM+Szy16MT8chh+FS3BAOESpwz0I71L7V+mgkVDmz1/sTekFGS0E

#########################################pswOZF0QVr/DOaDK41OglfG

Wac2V1kbLk4JwMz5BD3YRPmTHGJn04MZikilVzyoLrJpP1UCUIhewJsmV6WVW7fn

###############################################

-----END CERTIFICATE-----

subject=/description=\xE5\x85\x8D\xE8\xB4###### \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com

issuer=/C=CN/O=#### CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\x####B4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6

---

No client certificate CA names sent

---

SSL handshake has read 6799 bytes and written 199 bytes

---

New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : EXP-DES-CBC-SHA

Session-ID: 5343####4FC455F26700B

Session-ID-ctx:

Master-Key: 2CCA993F6#########C6EE5A17FEA6F52D5BCA697C09A169ED59E0

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

Start Time: 1427162168

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

closed

修复后：

[root@localhost ~]# openssl s_client -connect www.t4x.org:443 -cipher EXPORT  
CONNECTED(00000003)
139642907903816:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 73 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---