linux下修复Openssl FREAK 漏洞bug步骤
发布:smiling 来源: PHP粉丝网 添加日期:2015-05-06 13:38:17 浏览: 评论:0
Openssl出现的bug 很多朋友都知道是非常的严重了,对于Openssl bug小编每次安装系统都需要来补一下它,下面来看看linux下修复Openssl FREAK 漏洞bug步骤.
修复方法:
1:升级最新版本openssl,重新启动对应服务,#比如OpenSSL的1.0.1的用户应该升级到1.0.2.
2:修改ssl加密算法:(nginx conf:ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;)
nginx修改为 ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
httpd修改为 SSLCipherSuite HIGH:!aNULL:!MD5:!EXPORT56:!EXP
3:重新启动对应服务。
漏洞测试:
- [root@localhost ~]# openssl s_client -connect www.111cn.net :443 -cipher EXPORT
- CONNECTED(00000003)
- depth=3 C = IL, O = ### Ltd., OU = Secure Digital Certificate Signing, CN = ### Certification Authority
- verify return:1
- depth=2 C = CN, O = ### Limited, CN = CA \E6\B2\83\###\E8\AF\81\E4\B9\A6
- verify return:1
- depth=1 C = CN, O = ### CA Limited, CN = CA \E6\B2\83\E9\80###\81\E4\B9\A6
- verify return:1
- depth=0 description = \E5\85\8D\E8\B4\B####\AF\81\E4\B9\A6 \E7\94\B3\E8\###\91\E5\9D\80\EF\BC\9Ahttps://####.com, CN = mail.####.com
- verify return:1
- ---
- Certificate chain
- 0 s:/description=\xE5\x85\x8D\###F\x81\xE4\xB9\xA6 \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com
- i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\####\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6
- 1 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6
- i:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\###\xB9\xE8\xAF\x81\xE4\xB9\xA6
- 2 s:/C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\###\xB9\xE8\xAF\x81\xE4\xB9\xA6
- i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority
- 3 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority
- i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=### Certification Authority
- ---
- Server certificate
- -----BEGIN CERTIFICATE-----
- #######################FMm1PJLA9iewtlE9XETANBgkqhkiG9w0BAQUFADBM
- MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxITAfBgNV
- BAMMGENBIOayg+mAmuWFjei0uVNTTOivgeS5pjAeFw0xNDEyMjUwMzI5MDlaFw0x
- NTEyMjUwMzI5MDlaMFkxPjA8BgNVBA0MNeWFjei0uVNTTOivgeS5piDnlLPor7fn
- vZHlnYDvvJ####################################YDVQQDDA5tYWlsLmp1
- YXN5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPjfJK6tHr7n
- c5LgnyyfesG+jMRm+hIHCKVl8xcToUC9xfqhXpTPBLC+0NxGdwHpHY5jsLqE+Mi8
- k6VtB0XxP5t644P8j3/felLush1AQdAIHmlWvCYhA4XlnHDNiI2PxqbaJl7CsVVU
- 24K0r1N5w1kMsGW354SKrAAA8qXy9fRd8sl+8EUmL+51eyo+bziC0obCoHFP7+i6
- FQwtZWxabxkT08kGUeaR3gjFx1Nt3HCDPKSxTTVxqH2xu5vAR77Uf1j6OavxLlco
- XlheTEO7GySKM2ilN8lVlrFfnCuOLJjpl2CaK7B0V6gk/Cvnl22zHomPpuqxGqnN
- pCGoZUFTdzcCAwEAAaOCAaUwggGhMAsGA1UdDwQEAwIDqDAdBgNVHSUEFjAUBggr
- BgEFBQcDAgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQULfReKHXU6/pk
- vPB/e+KbvHzaT90wHwYDVR0jBBgwFoAU/cOuEdflyOXUNEGqQQ0oKdwL9z4wewYI
- KwYBBQUHAQEEbzBtMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcDIud29zaWduLmNu
- ########################################Kmh0dHA6Ly9haWEyLndvc2ln
- bi5jbi9jYTIuc2VydmVyMS5mcmVlLmNlcjA8BgNVHR8ENTAzMDGgL6AthitodHRw
- Oi8vY3JsczIud29zaWduLmNuL2NhMi1zZXJ2ZXIxLWZyZWUuY3JsMBkGA1UdEQQS
- MBCCDm1haWwuanVhc3kuY29tMFIGA1UdIARLMEkwCAYGZ4EMAQIBMD0GDisGAQQB
- gptRAwECBwECMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWduLmNvbS9w
- ###################################Lhx97YtyFOlvC92qjVQWvZjZ7X8Ii
- uqbxGDKxVJt6s7ARomQ7toK35SCdfVpgXYlMS2eHNgXdL1gzjRQU4FyDskNgcZqL
- fruVhm2JV17yDM+Szy16MT8chh+FS3BAOESpwz0I71L7V+mgkVDmz1/sTekFGS0E
- #########################################pswOZF0QVr/DOaDK41OglfG
- Wac2V1kbLk4JwMz5BD3YRPmTHGJn04MZikilVzyoLrJpP1UCUIhewJsmV6WVW7fn
- ###############################################
- -----END CERTIFICATE-----
- subject=/description=\xE5\x85\x8D\xE8\xB4###### \xE7\x94\xB3\xE8\xAF\xB7\xE7\xBD\x91\xE5\x9D\x80\xEF\xBC\x9Ahttps://buy.wosign.com/CN=mail.####.com
- issuer=/C=CN/O=#### CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\x####B4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6
- ---
- No client certificate CA names sent
- ---
- SSL handshake has read 6799 bytes and written 199 bytes
- ---
- New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA
- Server public key is 2048 bit
- Secure Renegotiation IS supported
- Compression: NONE
- Expansion: NONE
- SSL-Session:
- Protocol : TLSv1
- Cipher : EXP-DES-CBC-SHA
- Session-ID: 5343####4FC455F26700B
- Session-ID-ctx:
- Master-Key: 2CCA993F6#########C6EE5A17FEA6F52D5BCA697C09A169ED59E0
- Key-Arg : None
- Krb5 Principal: None
- PSK identity: None
- PSK identity hint: None
- Start Time: 1427162168
- Timeout : 300 (sec)
- Verify return code: 0 (ok)
- ---
- closed
- //修复后:
- [root@localhost ~]# openssl s_client -connect www.111cn.net :443 -cipher EXPORT //phpfensi.com
- CONNECTED(00000003)
- 139642907903816:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
- ---
- no peer certificate available
- ---
- No client certificate CA names sent
- ---
- SSL handshake has read 7 bytes and written 73 bytes
- ---
- New, (NONE), Cipher is (NONE)
- Secure Renegotiation IS NOT supported
- Compression: NONE
- Expansion: NONE
- ---
好了有没有发现修复之后我们再测试这个bug是已经没有 bug.
Tags: Openssl FREAK
推荐文章
热门文章
最新评论文章
- 写给考虑创业的年轻程序员(10)
- PHP新手上路(一)(7)
- 惹恼程序员的十件事(5)
- PHP邮件发送例子,已测试成功(5)
- 致初学者:PHP比ASP优秀的七个理由(4)
- PHP会被淘汰吗?(4)
- PHP新手上路(四)(4)
- 如何去学习PHP?(2)
- 简单入门级php分页代码(2)
- php中邮箱email 电话等格式的验证(2)