SslStream，BEAST和TLS 1.1 [英] SslStream, BEAST and TLS 1.1

问题描述

使用 BEAST （利用了漏洞SSL / TLS 1.0，其中有效负载的初始字节总是相同）我朝 SslStream 类，看它是否支持TLS 1.1，TLS 1.2，等它只是的支持（ SslProtocol ） SSL的2和3（其中两个preDATE TLS）和TLS 1.0

With the recent advent of BEAST (exploits a vulnerability in SSL/TLS1.0 where the initial bytes of the payload are always the same) I looked into the SslStream class to see if it supported TLS 1.1, TLS 1.2, etc. It only supports (SslProtocol) SSL 2 and 3 (which both predate TLS) and TLS 1.0.

由于 SslProtocol 只通告支持TLS 1.0及以下，是它在所有可能使用 SslStream 的TLS 1.1和超越？

Given that SslProtocol only advertises support for TLS 1.0 and below, is it at all possible to use SslStream for TLS 1.1 and beyond?

推荐答案

AFAIK是有限的/没有在客户端支持TLS 1.1+，等于是没有服务器打扰支持它，因为TLS 1.0已经足够好为止。围绕这一工作的务实方式利用，直到支持更好的协议是preFER非CBC加密套件，如RC4，无论是在客户端或服务器。见的http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php有关服务器端。不知道如何preFER一定暗号的客户端。

AFAIK there is limited/no support for TLS 1.1+ in clients, so therefore no servers bothered supporting it because TLS 1.0 has been "good enough" so far. The pragmatic way of working around this exploit until better protocols are supported is to prefer a non-CBC cypher suite such as RC4, either on the client or the server. See http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php about the server side. Not sure how to prefer a certain cypher on client side.

此外由于BEAST攻击已经presented，微软已经发布了一个安全公告还建议在服务器端作为一种解决方法的优先次序RC4：的 https://technet.microsoft.com/en-us/security/advisory/2588513

Additionally since the BEAST exploit has been presented, Microsoft has released a security advisory which also recommends prioritising RC4 on the server side as a workaround: https://technet.microsoft.com/en-us/security/advisory/2588513

微软还建议正确的修复，这是在客户端和服务器端启用TLS 1.1+。然而，由于大多数客户将继续仅支持TLS 1.0，并恢复使用默认开采CBC密码套件作为工作重点，重要的是把RC4的密码套件的优先级列表的顶部。

Microsoft also advises the correct fix, which is enabling TLS 1.1+ on the client and server sides. However since most clients will continue to only support TLS 1.0, and revert back to using the default exploitable CBC cipher suites as a priority, it's important to put RC4 at the top of the cipher suite priority list.

这篇关于SslStream，BEAST和TLS 1.1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！