我们使用本机Apache Portable Runtime SSL连接器在Tomcat 6上运行Web应用程序以提供SSL连接。我们如何配置服务器以防止BEAST攻击?无法在Tomcat配置中配置建议的解决方案(1),因为它不允许设置SSLHonorCipherOrder参数(2)。
我们目前只使用设置SSLCipherSuite =“ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM”但使用SSL服务器测试的扫描显示服务器仍然容易受到BEAST攻击。我知道我们可以通过使用Apache代理面向Tomcat来解决这个问题,但是这种改变在短期内无法实现。我还可以修补Tomcat以添加支持,但是这会阻止自动更新Tomcat软件包,这违反了策略。
1:https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
答案 0 :(得分:2)
解决此问题的逻辑方法是让Tomcat实现一个CipherOrder指令,该指令正如BugZilla链接所示,似乎已经包含在Tomcat 7.0.30以后。我最感兴趣的是尝试这个,尝试后会反馈。 https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
答案 1 :(得分:1)
我从未发布过我的解决方案。这有点像黑客,但你不需要修补/重新编译JSSE或Tomcat。
创建以下类:
/*
SSLSettingHelper prevents BEAST SSL attack by setting the appropriate option.
Due to protected variable must be in org.apache.tomcat.util.net package...
Instruction:
1) Compile and place JAR in tomcat /lib
2) Add protocol="org.apache.tomcat.util.net.SSLSettingHelper" to SSL APR connector
*/
package org.apache.tomcat.util.net;
public class SSLSettingHelper extends org.apache.coyote.http11.Http11AprProtocol {
@Override
public void init() throws Exception {
super.init();
org.apache.tomcat.jni.SSLContext.setOptions(endpoint.sslContext, org.apache.tomcat.jni.SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
log.info("SSLSettingHelper set SSL_OP_CIPHER_SERVER_PREFERENCE to prevent BEAST SSL attack");
}
}
然后将连接器配置为使用此帮助程序类:
<Connector server="Server" protocol="org.apache.tomcat.util.net.SSLSettingHelper" port="8443" maxThreads="256" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="..." SSLCertificateKeyFile="..." SSLCertificateChainFile="..." SSLCipherSuite="ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" compression="on" compressableMimeType="text/html,text/xml,text/plain,application/json,text/css,text/javascript" maxPostSize="1024000"/>
这解决了BEAST攻击。
答案 2 :(得分:0)
我找到了一个在普通java中启用的解决方案,就像“SSLHonorCipherOrder”一样。 通过(bootclasspath)修补原始Sun JSSE的一些行来获取Server Server命令 工作
类:sun.security.ssl.ServerHandshaker
添加字段
public static boolean preferServerOrder = true;替换方法chooseCipherSuite:
private void chooseCipherSuite(final HandshakeMessage.ClientHello mesg) throws IOException {
if(preferServerOrder) {
final CipherSuiteList clientList = mesg.getCipherSuites();
for(final CipherSuite serverSuite : getActiveCipherSuites().collection()) {
if (this.doClientAuth == 2) {
if (serverSuite.keyExchange == CipherSuite.KeyExchange.K_DH_ANON) continue;
if (serverSuite.keyExchange == CipherSuite.KeyExchange.K_ECDH_ANON) continue;
}
if(!serverSuite.isNegotiable()) continue;
if(clientList.contains(serverSuite)) {
if (trySetCipherSuite(serverSuite)) return;
}
}
} else {
final Collection list = mesg.getCipherSuites().collection();
for(final CipherSuite suite : list) {
if (!(isNegotiable(suite))) continue;
if (this.doClientAuth == 2) {
if (suite.keyExchange == CipherSuite.KeyExchange.K_DH_ANON) continue;
if (suite.keyExchange == CipherSuite.KeyExchange.K_ECDH_ANON) continue;
}
if (trySetCipherSuite(suite)) return;
}
}
fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
}