POODLE漏洞,JBoss和IE [英] POODLE vulnerability, JBoss and IE

查看:300
本文介绍了POODLE漏洞,JBoss和IE的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

所以,我有JBoss 5.1.0 GA,我在这里读到了我需要如何禁用SSLv3:

So, I have JBoss 5.1.0 GA, and I read about how I need to disable SSLv3 here:

https://access.redhat.com/solutions/1232233

什么不是这里提到的是我还需要摆脱支持回退到SSLv3的所有密码。当我这样做时,我在这个网站上得到了一个绿色选中标记

What was not mentioned here was that I also need to get rid of all ciphers that support falling back to SSLv3. When I did that, I got a "green checkmark" on this website

https://www.tinfoilsecurity.com/poodle

这基本上是我确认我的服务器并且不支持SSLv3的确认不再,但现在我无法使用IE(所有版本的IE)访问我的网站。由于我在server.xml配置中的密码列表中只有4个密码,因此我的目的是找到更多要添加到此列表中的密码,以使IE工作。我添加了50多个密码,但IE仍然无法加载我的网站。这是我到目前为止使用的所有密码的列表(我从这里得到了列表( https ://www.openssl.org/docs/apps/ciphers.html ):

which is basically a confirmation that I've secured my server and SSLv3 is not supported anymore, but now I cannot access my website using IE (all versions of IE). Since I only had 4 ciphers in my cipher list in the server.xml configuration, I aimed to find more ciphers to add in this list, to get IE to work. I added more than 50 ciphers, but IE still won't load my website. Here's a list of all the ciphers that I used so far (I got the list from here (https://www.openssl.org/docs/apps/ciphers.html):

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DH_DSS_WITH_SEED_CBC_SHA,
TLS_DH_RSA_WITH_SEED_CBC_SHA,
TLS_DHE_DSS_WITH_SEED_CBC_SHA,
TLS_DHE_RSA_WITH_SEED_CBC_SHA,
TLS_RSA_WITH_NULL_MD5,
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_EXPORT_WITH_RC4_40_MD5,
TLS_RSA_WITH_RC4_128_MD5,
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
TLS_RSA_WITH_IDEA_CBC_SHA,
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_DSS_WITH_DES_CBC_SHA,
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DH_RSA_WITH_DES_CBC_SHA,
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_DSS_WITH_DES_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_RSA_WITH_DES_CBC_SHA,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DH_DSS_WITH_AES_128_CBC_SHA,
TLS_DH_DSS_WITH_AES_256_CBC_SHA ,
TLS_DH_RSA_WITH_AES_128_CBC_SHA,
TLS_DH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_KRB5_WITH_RC4_128_MD5,
TLS_KRB5_WITH_RC4_ 128_SHA

TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DH_DSS_WITH_SEED_CBC_SHA, TLS_DH_RSA_WITH_SEED_CBC_SHA, TLS_DHE_DSS_WITH_SEED_CBC_SHA, TLS_DHE_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_NULL_MD5, TLS_RSA_WITH_NULL_SHA, TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, TLS_RSA_WITH_IDEA_CBC_SHA, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_DSS_WITH_DES_CBC_SHA, TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DH_RSA_WITH_DES_CBC_SHA, TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_RSA_WITH_DES_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA

这些密码都不适用于IE,这意味着当我使用IE接近我的服务器时,我得到这个页面不能显示。

None of these ciphers work with IE, meaning that when I approach my server with IE, I get "This page can’t be displayed".

有人可以帮我这个吗?有没有我可以使用的密码,它不会在我的服务器上打开SSLv3,也可以用于IE?

Can someone help me with this? Is there a cipher that I can use which will not open SSLv3 on my server, and will also work with IE?

更新:如果我实现RedHat建议的解决方案(即将sslProtocols更改为TLSv1,TLSv1.1,TLSv1.2):

UPDATE: If I implement the solution suggested by RedHat (which is, changing the sslProtocols to "TLSv1,TLSv1.1,TLSv1.2"):


  1. I启动JBoss时出现TLSv1,TLSv1.1,TLSv1.2 SSLContext不可用时出错。这意味着该字符串无效,我必须只使用其中一个协议。好吧,我会选择最安全的一个:TLS1.2

  2. 另一个问题是,在RedHat解决方案中,没有提到密码。我的印象是不再需要ciphers元素,因此我将其从server.xml中删除,将sslProtocols值更改为TLSv1.2并扫描我的服务器。它仍然是脆弱的!

  3. 我尝试设置TLSv1.1和TLSv1。这是行不通的。似乎sslProtocols元素对服务器使用的协议没有任何影响,这意味着只有密码元素有一些价值。

  4. 好吧,那么,我说......我会找到一些特定于TLSv1.2的密码,我会在那里添加它,从而严格保护我的服务器。我从 https://www.openssl中指定的列表中添加了所有TLSv1.2密码.org / docs / apps / ciphers.html 链接。扫描我的服务器,得到一个绿色选中标记,每一个都很好并且安全...试图通过任何浏览器接近我的服务器......页面无法打开。
    铬:ERR_SSL_VERSION_OR_CIPHER_MISMATCH
    火狐:ssl_error_no_cypher_overlap
    IE:网页无法打开(不具有礼貌告知我为什么)
    搞什么鬼?我现在该怎么办?

  5. 好的,我将从 https://www.openssl.org/docs/apps/ciphers.html 列表,跳过SSLv3。我得到这个(真的很短)列表:
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(即仅适用于该密码)
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,(FF,Chrome和Safari的工作与此cipher)
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,(FF, Chrome和Safari使用此密码)
    所有浏览器都可以工作,看起来不错。
    https://www.tinfoilsecurity.com/poodle - >绿色选中标记,一切都很好!
    让我们尝试一些更多的在线扫描仪,只是为了安全...
    https:// www .expeditedssl.com / poodle - >不容易受到攻击。大!
    https://www.poodlescan.com/ - > VULNERABLE! F ** K!

  6. 终极扫描:ssllabs.com ... VULNERABLE!

  1. I get an error when starting JBoss saying "TLSv1,TLSv1.1,TLSv1.2 SSLContext not available". This means that this string is invalid, and I MUST use only one of these protocols. Ok well, I'll go eith the most secure one: "TLS1.2"
  2. The other problem is that in the RedHat solution, nothing is mentioned on ciphers. I was under the impression that "ciphers" element is not needed anymore, so I removed it from the server.xml, changed the sslProtocols value to "TLSv1.2" and scanned my server. IT IS STILL VULNERABLE!.
  3. I tried setting TLSv1.1 and TLSv1. It does not work. It seems that the sslProtocols element does not have ANY effect on which protocols the server is using, meaning that only the ciphers element has some value.
  4. Well, OK then, I said... I'll find some TLSv1.2 specific ciphers, and I'll add it there, thus tightly securing my server. I added ALL the TLSv1.2 ciphers from the list specified in the https://www.openssl.org/docs/apps/ciphers.html link. Scanned my server, got a "green checkmark", everyting OK and secured... Tried to approach my server through any browser... "The page cannot be opened". Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Firefox: ssl_error_no_cypher_overlap IE: Page cannot be opened (not having the courtesy to inform me why) What the hell?! What should I do now?
  5. Ok, I'll start adding the ciphers from the bottom up from the https://www.openssl.org/docs/apps/ciphers.html list, SKIPPING the SSLv3 ones. I got to this (really short) list: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, (IE works only with this cipher) TLS_DHE_RSA_WITH_AES_128_CBC_SHA, (FF, Chrome and Safari work with this cipher) TLS_DHE_RSA_WITH_AES_256_CBC_SHA, (FF, Chrome and Safari work with this cipher) All browsers work, things look OK. https://www.tinfoilsecurity.com/poodle -> Green checkmark, everything good! Let's try some more online scanners, just to be safe... https://www.expeditedssl.com/poodle -> Not vulnerable. GREAT! https://www.poodlescan.com/ -> VULNERABLE! F**K!
  6. Ultimate scan: ssllabs.com ... VULNERABLE!

我在这里忘了...请帮助!

I'm loosing my mind here... please help!

UPDATE2:经过2天的努力,试图找出问题所在。 ..来自RedHat的建议修复包含元素sslProtocol *** s ***而不是sslProtocol(注意最后没有's'),我正在使用它,并在官方JbossWeb文档中描述< a href =http://docs.jboss.org/jbossweb/2.1.x/config/http.html\"rel =nofollow> http://docs.jboss.org/jbossweb/2.1.x/config/ http.html

UPDATE2: After 2 lost days trying to figure out what the problem is... The suggested fix from RedHat contained the element sslProtocol***s*** as opposed to the sslProtocol (note there's no 's' at the end), which I was using, and which is described in the official JbossWeb documentation http://docs.jboss.org/jbossweb/2.1.x/config/http.html

我刚刚添加了sslProtocols =TLSv1,TLSv1.1,TLSv1.2并删除了ciphers元素,一切都按预期工作。

I just added sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" and removed the "ciphers" element, everything works as expected.

推荐答案

经过2天的努力,想弄清问题是什么......

After 2 lost days trying to figure out what the problem is...

来自RedHat的建议修复包含元素sslProtocol s 而不是sslProtocol(注意最后没有's'),我正在使用它,并在官方JbossWeb文档 http://docs.jboss.org/jbossweb/2.1。 x / config / http.html

The suggested fix from RedHat contained the element sslProtocols as opposed to the sslProtocol (note there's no 's' at the end), which I was using, and which is described in the official JbossWeb documentation http://docs.jboss.org/jbossweb/2.1.x/config/http.html

我刚添加了

sslProtocols =TLSv1,TLSv1 .1,TLSv1.2

sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"

并删除了ciphers元素,现在一切都按预期工作。

and removed the "ciphers" element, now everything works as expected.

这篇关于POODLE漏洞,JBoss和IE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆