限制OpenSSL服务器密码选项 [英] Limit OpenSSL server Cipher options

问题描述

在我们当前的环境中，安全性运行扫描以查找漏洞. OpenSSL(当前版本)不断出现一个问题，其中4-5个密码低于128kb加密级别，并标记了扫描程序.

In our current environment, security runs scans looking for vulnerabilities. One issue keeps coming up with OpenSSL (current release), 4-5 ciphers are below the 128kb encryption level and flags the scanners.

知道客户端必须指定选项，因此在某些情况下最好限制服务器接受对低密码的选择.如果能够做到这一点，那么客户端的请求将无关紧要.在接受的内容上有一个配置选项是否有意义?

Knowing that the client must specify the options, there are cases where it would be good to limit the server from accepting a selection of the low ciphers. If this can be done, then it would not matter what the client requests. Would it make sense to have a configuration option on what to accept?

在我的特定情况下，我们正在试用用于文件传输的Beta版软件，它将openSSL密码引入其客户端.当前没有选择限制此选项.

In my specific case we are trialing a beta software for file transfer, it pulls the openSSL ciphers into its client. There is currently no option to restrict this.

对于Beta版软件开发人员，我也有类似的问题.

I also have a similar question out to the beta software developer.

推荐答案

您可以使用SSL_CTX_set_cipher_list()限制密码列表.

You can use SSL_CTX_set_cipher_list() to limit the list of ciphers.

#include <iostream>
#include <openssl/ssl.h>

// List of allowed ciphers in a colon-seperated list. Example limits ciphers to AES-256 only
const char *allowedCiphers = "AES256-SHA256:AES256-GCM-SHA38:DHE-RSA-AES256-SHA256";

bool SetCiphers(SSL *sslContext, const char *ciphers);

int main()
{
   // Create a ssl context here etc.
   SSL *ssl = ...;

   // Set the allowed ciphers
   if (!SetCiphers(ssl, allowedCiphers))
      exit(-1);

   // Process...
   return 0;
}

bool SetCiphers(SSL *sslContext, const char *ciphers)
{
   if (SSL_CTX_set_cipher_list(sslContext, ciphers) != 1)
   {
      std::cerr << L"[SSL_CTX_set_cipher_list] failed; could not find a suitable cipher in the provided list of ciphers \"" 
         << ciphers << "\"." << endl;
      return false;
   }
   return true;
}

在外壳程序中运行openssl ciphers -v，以获取系统上支持的密码的列表.

Run openssl ciphers -v in a shell for a list of supported ciphers on your system.

这篇关于限制OpenSSL服务器密码选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！