Security

POODLE:在 FreeBSD-9.2 上使用 Apache24 的 SSLv3 漏洞 (CVE-2014-3566)

  • October 20, 2014

我正在使用FreeBSD 9.2-RELEASE-p5包裝apache24-2.4.10_2。根據CVE-2014-3566 (POODLE),我繼續並SSLProtocol -SSLv3在重啟 apache24 服務後禁用,但在執行檢查後,似乎 SSLv3 仍然啟用。

<IfModule ssl_module.c>
   SSLCipherSuite      HIGH:MEDIUM:!aNULL:!MD5
   SSLProtocol         -SSLv3
   SSLPassPhraseDialog builtin
   SSLSessionCache     "shmcb:/var/run/ssl_scache(512000)"
   SSLSessionCacheTimeout  300
</IfModule>

我執行的一項檢查是:

openssl s_client -connect <server>:<port> -ssl3

*** 更新 ***

我有輕微的配置錯誤,替換<IfModule ssl_module.c>為之後<IfModule ssl_module>,apache24 DID接受了我的SSLProtocol

[alexus@wcmisdlin02 ~]$ openssl s_client -connect j.alexus.org:443 -ssl3
CONNECTED(00000003)
139809335551816:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139809335551816:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : SSLv3
   Cipher    : 0000
   Session-ID: 
   Session-ID-ctx: 
   Master-Key: 
   Key-Arg   : None
   Krb5 Principal: None
   PSK identity: None
   PSK identity hint: None
   Start Time: 1413476188
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)
---
[alexus@wcmisdlin02 ~]$ 

根據 Mozilla,此配置應該有效:

<VirtualHost *:443>
   ...
   SSLProtocol all -SSLv2 -SSLv3
   ...
</VirtualHost>

我使用了這個配置並為我工作:

SSLProtocol TLSv1 TLSv1.1 TLSv1.2

您可以使用此工具掃描您的站點。

引用自:https://serverfault.com/questions/637565