如何禁用SSL回落,并仅使用TLS在.NET出站连接? (贵宾犬减缓) [英] How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation)
问题描述
我想,以减轻我们对贵宾SSL 3.0后备的攻击漏洞。我们的管理员已经开始禁用SSL支持TLS的入站连接到我们的服务器。同时,我们也建议我们的团队在其网络浏览器禁用SSL。我现在在看我们的.NET codeBase的,它通过<一启动各种服务HTTPS连接href="http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest(v=vs.110).aspx">System.Net.HttpWebRequest.我相信,这些连接可能会受到一个MITM攻击,如果他们允许后备从TLS到SSL。以下是我迄今确定。难道有人请仔细检查此验证我是对的?此漏洞是全新的,所以我还没有看到微软如何减轻它在.NET中的任何指导意见:
I am trying to mitigate our vulnerability to the Poodle SSL 3.0 Fallback attack. Our admins have already started disabling SSL in favor of TLS for inbound connections to our servers. And we have also advised our team to disable SSL in their web browsers. I'm now looking at our .NET codebase, which initiates HTTPS connections with various services through System.Net.HttpWebRequest. I believe that these connections could be vulnerable to a MITM attack if they allow fallback from TLS to SSL. Here is what I have determined so far. Could some one please double-check this to verify that I am right? This vulnerability is brand new, so I have yet to see any guidance from Microsoft on how to mitigate it in .NET:
-
对于System.Net.Security.SslStream类,它支撑在.NET安全通信允许的协议,在全球范围内通过的 System.Net.ServicePointManager.SecurityProtocol 设置每个应用程序域属性。
The allowed protocols for the System.Net.Security.SslStream class, which underpins secure communication in .NET, are set globally for each AppDomain via the System.Net.ServicePointManager.SecurityProtocol property.
这个属性在.NET 4.5的默认值是 SSL3 | TLS (虽然我不能找到文档做后盾的时候了。)SecurityProtocolType是一个枚举的标志属性,所以它的这两个值的按位的或的。您可以检查这在您的环境这一行的code:
The default value of this property in .NET 4.5 is Ssl3 | Tls (although I can't find documentation to back that up.) SecurityProtocolType is an enum with the Flags attribute, so it's a bitwise OR of those two values. You can check this in your environment with this line of code:
Console.WriteLine(System.Net.ServicePointManager.SecurityProtocol.ToString());
这应改为只 TLS ,或者 Tls12 ,您发起的任何连接前您的应用程序:
This should be changed to just Tls, or perhaps Tls12, before you initiate any connections in your app:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls;
重要提示:由于属性支持多按位标志,我假设SslStream将不可以握手时会自动退回到其他未说明的协议。否则,这将是支持多个标志的意义呢?
Important: Since the property supports multiple bitwise flags, I assume that the SslStream will not automatically fallback to other unspecified protocols during handshake. Otherwise, what would be the point of supporting multiple flags?
在TLS 1.0 VS 更新1.1 / 1.2:
Update on TLS 1.0 vs 1.1/1.2:
据谷歌安全专家亚当·兰利, TLS 1.0,后来发现是容易的狮子狗,如果未实现正确的,所以你应该考虑迁移到TLS 1.2只。
According to Google security expert Adam Langley, TLS 1.0 was later found to be vulnerable to POODLE if not implemented correctly, so you should consider moving to TLS 1.2 exclusively.
推荐答案
我们都在做同样的事情。要支持所有TLS和SSL没有协议的,你可以这样做:
We are doing the same thing. To support all TLS and no SSL protocols, you can do this:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
SecurityProtocolType.Tls仅TLS 1.0,并不是所有的TLS版本。
SecurityProtocolType.Tls is only TLS 1.0, not all TLS versions.
作为一个边:如果您要检查您的网站不允许SSL连接,您可以在这里做(我不认为这会受到上述设置,我们不得不编辑注册表以强制IIS使用TLS传入连接): https://www.ssllabs.com/ssltest/index.html
As a side: If you want to check that your site does not allow SSL connections, you can do so here (I don't think this will be affected by the above setting, we had to edit the registry to force IIS to use TLS for incoming connections): https://www.ssllabs.com/ssltest/index.html
要禁用IIS中的SSL 2.0和3.0,看到这个页面:<一href="https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html">https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
To disable SSL 2.0 and 3.0 in IIS, see this page: https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
这篇关于如何禁用SSL回落,并仅使用TLS在.NET出站连接? (贵宾犬减缓)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
