我正在使用Apache和OpenSSL测试SSL不安全的重新协商漏洞。
当针对OpenSSL 0.9.8k编译Apache 2.2.14时,openssl命令可以使用Apache建立客户端启动的不安全SSL重新协商,如下所示:
# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify return:1
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 13:54:33 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8k
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "1b006b0-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
closed
#
但是,对于OpenSSL 0.9.8m编译的Apache 2.2.15,即使在ssl.conf中添加了“SSLInsecureRenegotiation on”,客户端启动的SSL重新协商也会失败:
# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
CONNECTED(00000003)
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
4790:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
#
后一种结果似乎出乎意料。 SSLInsecureRenegotiation指令不起作用吗?我想知道如何使指令生效。
提前谢谢。