beego禁用3DES和DES弱加密算法--SSL/TLS协议信息泄露漏洞(CVE-2016-2183)原理扫描
Posted xiangjai
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了beego禁用3DES和DES弱加密算法--SSL/TLS协议信息泄露漏洞(CVE-2016-2183)原理扫描相关的知识,希望对你有一定的参考价值。
目录
程序代码
用beego起的一个 https 服务,被扫描出了漏洞(SSL/TLS协议信息泄露漏洞(CVE-2016-2183)),需要禁用DES加密算法
参考源码,解决方法如下:
beego.Run()前添加
ciphers := []uint16
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
beego.BeeApp.Server.TLSConfig = &tls.ConfigPreferServerCipherSuites: true
beego.BeeApp.Server.TLSConfig.CipherSuites = ciphersnmap重新扫描
需自行安装nmap
nmap -sV -p 扫描端口 --script ssl-enum-ciphers 扫描IP扫描后加密算法中已踢出DES
root@ip:~# nmap -sV -p 443 --script ssl-enum-ciphers ip
Starting Nmap 7.60 ( https://nmap.org ) at 2022-07-06 11:32 CST
Nmap scan report for ip
Host is up (0.000044s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/https beegoServer:2.0.0
| fingerprint-strings:
| FourOhFourRequest, GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Access-Control-Allow-Credentials: true
| Access-Control-Allow-Headers: Access-Control-Allow-Origin,ContentType,Authorization,accept,accept-encoding, authorization, content-type, token
| Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 1728000
| Server: beegoServer:2.0.0
| Date: Wed, 06 Jul 2022 03:32:42 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=utf-8
| "result":"SESSION_OUT","resultMsg":"token must not null","retData":null
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request
|_http-server-header: beegoServer:2.0.0
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.60%T=SSL%I=7%D=7/6%Time=62C5025A%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,209,"HTTP/1\\.0\\x20200\\x20OK\\r\\nAccess-Control-Allow-Creden
SF:tials:\\x20true\\r\\nAccess-Control-Allow-Headers:\\x20Access-Control-Allow
SF:-Origin,ContentType,Authorization,accept,accept-encoding,\\x20authorizat
SF:ion,\\x20content-type,\\x20token\\r\\nAccess-Control-Allow-Methods:\\x20POST
SF:,\\x20GET,\\x20PUT,\\x20OPTIONS\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nA
SF:ccess-Control-Max-Age:\\x201728000\\r\\nServer:\\x20beegoServer:2\\.0\\.0\\r\\n
SF:Date:\\x20Wed,\\x2006\\x20Jul\\x202022\\x2003:32:42\\x20GMT\\r\\nContent-Length
SF::\\x2073\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\n\\r\\n\\"resu
SF:lt\\":\\"SESSION_OUT\\",\\"resultMsg\\":\\"token\\x20must\\x20not\\x20null\\",\\"r
SF:etData\\":null")%r(HTTPOptions,209,"HTTP/1\\.0\\x20200\\x20OK\\r\\nAccess-Co
SF:ntrol-Allow-Credentials:\\x20true\\r\\nAccess-Control-Allow-Headers:\\x20Ac
SF:cess-Control-Allow-Origin,ContentType,Authorization,accept,accept-encod
SF:ing,\\x20authorization,\\x20content-type,\\x20token\\r\\nAccess-Control-Allo
SF:w-Methods:\\x20POST,\\x20GET,\\x20PUT,\\x20OPTIONS\\r\\nAccess-Control-Allow-
SF:Origin:\\x20\\*\\r\\nAccess-Control-Max-Age:\\x201728000\\r\\nServer:\\x20beego
SF:Server:2\\.0\\.0\\r\\nDate:\\x20Wed,\\x2006\\x20Jul\\x202022\\x2003:32:42\\x20GMT
SF:\\r\\nContent-Length:\\x2073\\r\\nContent-Type:\\x20text/plain;\\x20charset=ut
SF:f-8\\r\\n\\r\\n\\"result\\":\\"SESSION_OUT\\",\\"resultMsg\\":\\"token\\x20must\\x2
SF:0not\\x20null\\",\\"retData\\":null")%r(FourOhFourRequest,209,"HTTP/1\\.0\\x
SF:20200\\x20OK\\r\\nAccess-Control-Allow-Credentials:\\x20true\\r\\nAccess-Cont
SF:rol-Allow-Headers:\\x20Access-Control-Allow-Origin,ContentType,Authoriza
SF:tion,accept,accept-encoding,\\x20authorization,\\x20content-type,\\x20toke
SF:n\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x20GET,\\x20PUT,\\x20OPTIONS\\
SF:r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nAccess-Control-Max-Age:\\x20172
SF:8000\\r\\nServer:\\x20beegoServer:2\\.0\\.0\\r\\nDate:\\x20Wed,\\x2006\\x20Jul\\x2
SF:02022\\x2003:32:42\\x20GMT\\r\\nContent-Length:\\x2073\\r\\nContent-Type:\\x20t
SF:ext/plain;\\x20charset=utf-8\\r\\n\\r\\n\\"result\\":\\"SESSION_OUT\\",\\"result
SF:Msg\\":\\"token\\x20must\\x20not\\x20null\\",\\"retData\\":null")%r(GenericLin
SF:es,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plai
SF:n;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Reques
SF:t");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.80 seconds
root@iZ254d5laqgZ:~# ^C
root@iZ254d5laqgZ:~# ls
kh tools
root@iZ254d5laqgZ:~#
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-177-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
New release '20.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.以上是关于beego禁用3DES和DES弱加密算法--SSL/TLS协议信息泄露漏洞(CVE-2016-2183)原理扫描的主要内容,如果未能解决你的问题,请参考以下文章