openssl公钥密码过弱漏洞

漏洞描述

openssl协议使用的公钥太弱,导致被暴力猜解。

漏洞检测

使用:openssl s_client -connect 122.227.230.67:60008 —ssl3

其支持的版本探测:

-ssl2 - just use SSLv2

-ssl3 - just use SSLv3

-tls1_2 - just use TLSv1.2

-tls1_1 - just use TLSv1.1

-tls1 - just use TLSv1

-dtls1 - just use DTLSv1

检测原理:用openssl尝试去连接,如果返回

eer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits


SSL handshake has read 1413 bytes and written 458 bytes


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol  : TLSv1.2

Cipher    : ECDHE-RSA-AES128-SHA

Session-ID: 58E72FA84E256939BC49FB68087AC9065E071C4BE557DBF99D40270E70D9F674

Session-ID-ctx:

Master-Key: EF828328DBDA5C9E5B187C483C1A526D1C052FBC16C6CBC8DB90544E0751FBD28F8A9D081101A6675A9DFC3AF33708BC

Key-Arg   : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1491546024

Timeout   : 300 \(sec\)

Verify return code: 18 \(self signed certificate\)

说明连接成功,里面包含一些信息,如果返回

140735260164176:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

表示握手失败。

漏洞修复

升级openssl为最新版本,使用ssl3版本。

results matching ""

    No results matching ""