要成为PCI合规性,我使用nmap扫描SSL漏洞:
nmap -p 8443 --script ssl-enum-ciphers myJettyServer.com
> 8443 / tcp open https-alt
| SSL-枚举密码:
| TLSv1.0:
|的 密码:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA(dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA(dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA(rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA(rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA(rsa 2048) - A
|压缩机:
| NULL
|密码偏好:客户
|的 警告:
| 64位分组密码3DES容易受到SWEET32攻击
|密钥交换(dh 768)强度低于证书密钥
|密钥交换(secp160k1)强度低于证书密钥
| TLSv1.1:
|的 密码:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA(dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA(dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA(rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA(rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA(rsa 2048) - A
|压缩机:
| NULL
|密码偏好:客户
|的 警告:
| 64位分组密码3DES容易受到SWEET32攻击
|密钥交换(dh 768)强度低于证书密钥
|密钥交换(secp160k1)强度低于证书密钥
| TLSv1.2工作:
|的 密码:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA(dh 768) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(dh 768) - C
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA(dh 768) - B
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(dh 768) - B
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA(rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA(rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256(rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA(rsa 2048) - A. | TLS_RSA_WITH_AES_256_CBC_SHA256(rsa 2048) - A
|压缩机:
| NULL
|密码偏好:客户
|的 警告:
| 64位分组密码3DES容易受到SWEET32攻击
|密钥交换(dh 768)强度低于证书密钥
|密钥交换(secp160k1)强度低于证书密钥
| _最小强度:C
我发现我的嵌入式Jetty 9.1.5服务器上存在SWEET32。要解决此问题,我将这些行添加到jetty.xml:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<!-- default -->
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_RC4_128_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<!--3DES-->
<Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<!-- RC4 -->
<Item>PCT_SSL_CIPHER_TYPE_1ST_HALF</Item>
<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL2_RC4_128_EXPORT40_WITH_MD5</Item>
<Item>SSL2_RC4_128_WITH_MD5</Item>
<Item>SSL2_RC4_64_WITH_MD5</Item>
<Item>TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_DH_Anon_WITH_RC4_128_MD5</Item>
<Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA</Item>
<Item>TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_RC4_128_SHA</Item>
<Item>TLS_DHE_DSS_WITH_RC4_128_SHA256</Item>
<Item>TLS_DHE_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_DHE_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDH_Anon_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_Anon_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA256</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA256</Item>
<Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
<Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
<Item>TLS_KRB5_WITH_RC4_128_SHA256</Item>
<Item>TLS_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_MD5</Item>
<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA</Item>
<Item>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256</Item>
<Item>TLS_RSA_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_RSA_PSK_WITH_RC4_128_SHA256</Item>
<Item>TLS_RSA_WITH_RC4_128_MD5</Item>
<Item>TLS_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_RSA_WITH_RC4_128_SHA256</Item>
</Array>
</Set>
除了这一个TLS_RSA_WITH_3DES_EDE_CBC_SHA之外,所有其他3DES密码都消失了。太奇怪了!
如何摆脱这种密码? 提前谢谢。
答案 0 :(得分:1)
使用Jetty的最新稳定版本,您可以要求服务器转储并查看启用/禁用密码列表,以及(最重要的是!) 它们被禁用。
示例:
$ cd /path/to/my/jettybase
$ java -jar /path/to/jetty-dist/start.jar jetty.server.dumpAfterStart=true
| += SslConnectionFactory@cc285f4{SSL->http/1.1} - STARTED
| | += SslContextFactory@77659b30(file:///path/to/my/jettybase/etc/keystore,file:///path/to/my/jettybase/etc/keystore) trustAll=false
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=29)
| | | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
| | | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=53)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
| | +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
| | +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
| | +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
您很快就会看到您在Jetty配置中默认禁用了您专门呼叫的密码,而正在运行的JRE则禁用了其他密码。
至于配置密码列表,您可以配置SslContextFactory以获得所需的排除。有很多方法可以配置它,最好是从官方文档中选择最适合您需求的技术...