How to fix POODLE SSLv3 security vulnerability (CVE-2 0 1 4-3 5 6 6)-vulnerability warning-the black bar safety net

2014-10-16T00:00:00
ID MYHACK58:62201454686
Type myhack58
Reporter 佚名
Modified 2014-10-16T00:00:00

Description

POODLE = P adding O racle O n D owngraded L egacy E ncryption

First of all, this is a belated naming, but security is still terrible. The latest security vulnerability (CVE-2 0 1 4-3 5 6 6) code name is POODLE, which is an abbreviation for, in accordance with the above title to have actual meaning?

This vulnerability and before the B. E. A. S. T ( B rowser E xploit A ' gainst the very S SL T LS) is very similar, but there is still no reliable solution, except to completely disable SSLv3 support. Simply put, the attacker can get your encrypted stream of plaintext data.

Or let's look at how to deal with it, the Mozilla Security Wiki Serverside TLS recommends the use of a strict Protocol and encryption method restrictions, it is worth our attention.

Apache

In the Apache SSL configuration to disable SSLv3 and SSLv3 in:

SSLProtocol all-SSLv2-SSLv3

Nginx

In Nginx to allow only TLS protocols:

ssl_protocols TLSv1 TLSv1. 1 TLSv1. 2;

MySQL

It is worth noting that, unless you are in the MySQL 5.6 deploying sha256_password plug-in, plugin for MySQL 5.6 will be in the authentication handshake must be completed before SSL/TLS connection negotiation, so this attack vector only becomes an issue -- a valid login to access the data stream. the sha256_password](<http://dev.mysql.com/doc/mysql-security-excerpt/5.6/en/sha256-authentication-plugin.html>) provides an option to use SSL/TLS authentication

This makes things more interesting, and the Apache and Nginx different is that there is no way to completely enable and disable the SSL/TLS Protocol, but can be specify SSL communication encryption specification .

To in MySQL to remove SSLv3 support, you just need to determine the configuration does not use SSLv3 encryption.

In this bug, you can find the SSLv3 encryption method list:

openssl ciphers-v 'DEFAULT' | awk '/SSLv3 Kx=(RSA|DH|DH(5 1 2))/ { print $1 }' DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA AES128-SHA SEED-SHA CAMELLIA128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5

[1] [2] next