yujin2010good
作者yujin2010good2018-11-14 15:47
系统工程师, 大型零售巨头

The POODLE attack (SSLv3 supported) 漏洞修复

字数 1290阅读 921评论 0赞 2

ssl是haproxy配置,上线后扫描发现以下漏洞

Vulnerability description
Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM (Man-in-the-middle) attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie data. Unlike the BEAST attack, it doesn't require such extensive control of the format of the plaintext and thus is more practical.

Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. SSLv3 is disabled by default in Firefox 34, which was released on Nov 25 2014. Affected items
Server
The impact of this vulnerability
An attacker may be able to exploit this problem to conduct man-in-the-middle attacks and decrypt communications between the affected service and clients.

How to fix this vulnerability
It's recommended to disable SSLv3 and replace it with TLSv1.0 as soon as compatibility with legacy clients is no longer required. (The only browser that does not support TLSv1.0 is Internet Explorer 6).

To disable SSLv2 and SSLv3:
For Apache:
SSLProtocol all -SSLv2 -SSLv3
For Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 

修复:

在haproxy全局加入

ssl-default-bind-options no-sslv3

重启haproxy,重新扫描即可。

如果觉得我的文章对您有用,请点赞。您的支持将鼓励我继续创作!

2

添加新评论0 条评论

Ctrl+Enter 发表

关于TWT  使用指南  社区专家合作  厂商入驻社区  企业招聘  投诉建议  版权与免责声明  联系我们
© 2019  talkwithtrend — talk with trend,talk with technologist 京ICP备09031017号-30