如何在openssl中禁用特定的密码套件? [英] How do I disable a particular cipher suite in openssl?
问题描述
我想保护服务器免受FREAK攻击,因此我想禁用所有使用Openssl出口级RSA密钥的密码套件.有没有办法在openssl中禁用特定的密码套件?如果是,我该怎么办?
I want to secure my server from FREAK attack so I want to disable all the cipher suites that uses export grade RSA key from Openssl. Is there a way to disable a particular cipher suite in openssl? If yes, how do i do it?
推荐答案
有没有办法禁用openssl中的特定密码套件?如果是,我该怎么办?
Is there a way to disable a particular cipher suite in openssl? If yes, how do i do it?
要回答禁用特定密码套件的直接问题,可以通过将其从传递给SSL_CTX_set_cipher_list
或SSL_CTX_set_cipher_list
的密码套件列表中删除来实现:
To answer the direct question of disabling a particular cipher suite, do so by removing it from the cipher suite list passed to SSL_CTX_set_cipher_list
or SSL_CTX_set_cipher_list
:
int rc = SSL_CTX_set_cipher_list(ctx, "ALL:!NULL-MD5:!NULL-SHA");
assert(0 != rc);
您可以在SSL*
上执行以下操作:
You can do it on a SSL*
with:
int rc = SSL_set_cipher_list(ssl, "ALL:!NULL-MD5:!NULL-SHA");
assert(0 != rc);
在上面,NULL-MD5
是SSL_RSA_WITH_NULL_MD5
,NULL-SHA
是SSL_RSA_WITH_NULL_SHA
.您可以通过 openssl ciphers
命令获取映射列表.
In the above, NULL-MD5
is SSL_RSA_WITH_NULL_MD5
and NULL-SHA
is SSL_RSA_WITH_NULL_SHA
. You can get the list of mappings from the openssl ciphers
command.
您还可以使用!EXP
禁用导出密码:
You can also disable export ciphers with !EXP
:
int rc = SSL_CTX_set_cipher_list(ctx, "ALL:!EXP");
assert(0 != rc);
您可以在SSL*
上执行以下操作:
And you can do it on a SSL*
with:
int rc = SSL_set_cipher_list(ssl, "ALL:!EXP");
assert(0 != rc);
您可以看到"ALL:!EXP"
等同于OpenSSL命令(请注意单引号,这样外壳程序就不会发生爆炸):
You can see what "ALL:!EXP"
equates to with the OpenSSL command (note the single quote so the shell does not get a hold of the bang):
$ openssl ciphers 'ALL:!EXP'
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:
SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DH-DSS-AES256-GCM-SHA384...
您可以使用以下方法计算密码套件的数量:
You can count the number of cipher suites with:
$ openssl ciphers 'ALL:!EXP' | tr ':' ' ' | wc -w
124
这告诉您,由于有124个密码套件,您的ClientHello
将至少使用248个字节.理想情况下,您应该广告您真正想要的16个左右的套房.
That tells you your ClientHello
will use at least 248 bytes due to the 124 cipher suites. Ideally, you should advertise the 16 or so suites you really want.
通常只使用"HIGH"
配置密码套件.它不包括"MEDIUM"
,"LOW"
和"EXP"
.有时我的电话看起来像这样:
You usually configure your cipher suites using "HIGH"
only. It excludes "MEDIUM"
, "LOW"
and "EXP"
. Here's how my call sometimes look:
int rc = SSL_CTX_set_cipher_list(ctx, "HIGH:!ADH:!MD5:!RC4:!SRP:!PSK:!DSS");
assert(0 != rc);
请确保排除匿名齿轮(!ADH
),因为默认情况下已将其包括在内.使用!MD5
和!RC4
是因为它们很弱/很受伤. !SRP
,!PSK
和!DSS
用于进一步修剪密码列表,因为它们通常不使用.
Be sure to exclude the anonymous gear (!ADH
) because its included by default. !MD5
and !RC4
are used because they are weak/wounded. !SRP
, !PSK
, and !DSS
are used to trim the list of ciphers further because they are not usually used.
您也可以对SSL*
和SSL_set_cipher_list
进行同样的操作.
You can also do the same with a SSL*
and SSL_set_cipher_list
.
如果您在服务器上调用SSL_CTX_set_cipher_list
和SSL_set_cipher_list
,则密码套件列表将根据证书中密钥的类型进一步调整.
If you call SSL_CTX_set_cipher_list
and SSL_set_cipher_list
on a server, the the cipher suite list will be trimmed further depending on the type of key in the certificate.
在上一个区块中,我说了 ...有时候我的电话看起来如何.通常,我想指定16个左右的位置,以配合使用:
In the previous block, I said ... how my call sometimes look. Usually, I like to specify the 16 or so I want to use with:
string GetCipherSuites()
{
static string ciphers = ""
#if defined(ALLOW_ECDSA)
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
#endif
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES128-GCM-SHA256:"
#if defined(ALLOW_DSA)
"DHE-DSS-AES256-GCM-SHA384:"
#endif
"DHE-RSA-AES256-GCM-SHA384:"
#if defined(ALLOW_DSA)
"DHE-DSS-AES128-GCM-SHA256:"
#endif
"DHE-RSA-AES128-GCM-SHA256:"
#if defined(ALLOW_DSA)
"DHE-DSS-AES256-SHA:"
#endif
"DHE-RSA-AES256-SHA:"
#if defined(ALLOW_DSA)
"DHE-DSS-AES128-SHA:"
#endif
"DHE-RSA-AES128-SHA:"
#if defined(ALLOW_DSA)
"EDH-DSS-DES-CBC3-SHA:"
#endif
"EDH-RSA-DES-CBC3-SHA:"
#if defined(ALLOW_DSA)
"DH-DSS-DES-CBC3-SHA:"
#endif
"DH-RSA-DES-CBC3-SHA:";
return ciphers;
}
这篇关于如何在openssl中禁用特定的密码套件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!