SSL/TLS RC4信息泄露漏洞(CVE-2015-2808)

補(bǔ)侗咂弧：https://support.microsoft.com/en-us/help/2868725/microsoft-security-advisory-update-for-disabling-rc4

系統(tǒng)是Windows2003，補(bǔ)丁不適用饺饭。

嘗試用注冊(cè)表禁用RC4解決

Windows Registry Editor Version5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

OpenSSL "SSL-Death-Alert" 拒絕服務(wù)漏洞(CVE-2016-8610)

補(bǔ)镀涛搿：https://www.openssl.org/source/

以下版本可以修復(fù)此漏洞:

openssl-1.0.2分支的1.0.2i及后續(xù)版本

openssl-1.1.0分支的1.1.0a及后續(xù)版本

openssl-1.0.1分支官方暫未提供修復(fù)版本起宽，無法升級(jí)新分支的用戶可以參考此補(bǔ)丁(https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401)修改源碼后重新編譯

OpenSSL SSLv2協(xié)議"Drown"漏洞(CVE-2016-0800)

禁用sslv2

服務(wù)器端

點(diǎn)擊“開始”—“運(yùn)行”，輸入?“Regedit”济榨，點(diǎn)擊OK.

在注冊(cè)表中尋找：

“HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server”

如果在Protocols下沒有“SSL 2.0”選項(xiàng)坯沪，請(qǐng)依次新建“SSL 2.0”和“Server”項(xiàng)。

新建一個(gè)DWORD值擒滑。

在名稱中腐晾，輸入“Enabled”。

雙擊這個(gè)值丐一，在數(shù)值數(shù)據(jù)中藻糖，輸入“0”。

點(diǎn)擊OK库车，退出注冊(cè)表編輯器巨柒，然后重啟電腦。

SSL/TLS 受誡禮(BAR-MITZVAH)攻擊漏洞(CVE-2015-2808)

服務(wù)器：

對(duì)于NGINX的修補(bǔ)

修改nginx配置文件中的 ssl_ciphers項(xiàng)

ssl_ciphers"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

重新加載：

$sudo /etc/init.d/nginx reload

對(duì)于apache的修復(fù)

打開配置文件

$ sudo vi /etc/httpd/conf.d/ssl.conf

修改配置

SSLCipherSuite

HIGH:MEDIUM:!aNULL:!MD5;!RC4

$ sudo /etc/init.d/httpd restart

對(duì)于TOMCAT的修復(fù)

server.xml?中SSL connector加入以下內(nèi)容:

SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

tomcat例子：

<connector port="443"maxhttpheadersize="8192" address="127.0.0.1"enablelookups="false" disableuploadtimeout="true"acceptCount="100" scheme="https" secure="true"clientAuth="false" SSLEnabled="true"sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"keystoreFile="mydomain.key"keystorePass="password"truststoreFile="mytruststore.truststore"truststorePass="password"/>;

對(duì)于IIS修補(bǔ)

將下面的內(nèi)容保存為fix.reg柠衍，并雙擊運(yùn)行來修改注冊(cè)表：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES56/56]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC240/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC256/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC464/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL2.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3.0\Client]"DisabledByDefault"=dword:00000001

或配置防火墻洋满，不允許集群外機(jī)器訪問。