zoukankan      html  css  js  c++  java
  • CVE­-2014-3566

    https://access.redhat.com/articles/1232123

    https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

    https://yryz.net/post/tls-fallback-scsv.html

    关于SSL/TLS中间人降级攻击

    TLS_FALLBACK_SCSV 信令套件可以用来阻止客户端和服务器之间的意外降级,预防中间人攻击。

    规范修改历史:

    • draft-ietf-tls-downgrade-scsv-00 (2014-07-04)
    • draft-bmoeller-tls-downgrade-scsv-02 (2014-05-31)
    • draft-bmoeller-tls-downgrade-scsv-01 (2013-11-28)
    • draft-bmoeller-tls-downgrade-scsv-00 (2013-09-25)

    服务端行为:

    ​ 如果TLS_FALLBACK_SCSV出现在 ClientHello.cipher_suites 中,而服务器支持的最高协议版本高于 ClientHello.client_version 服务器必须回应inappropriate_fallback警告。

    客户端行为:

    ​ 如果客户端发送的ClientHello.client_version比它支持的最高版本低,需要在ClientHello.cipher_suites中包含TLS_FALLBACK_SCSV密码套件在最后面。

    降级防护:

    必须客户端、服务端都实现TLS_FALLBACK_SCSV!

    客户端支持情况:

    IE11还没有实现、FireFox说要到2015年才实现、OpenSSL需要升级版本

    Chrome已经实现 TLS_FALLBACK_SCSV {0x56, 0x00}

    Windows Chrome 38.0.2125.104 m

    OpenSSL实现TLS_FALLBACK_SCSV来阻止中间人降级攻击,缓解POODLE漏洞影响(https://www.openssl.org/news/secadv_20141015.txt

    SSL 3.0 Fallback protection

    Severity: Medium

    OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
    to block the ability for a MITM attacker to force a protocol
    downgrade.

    Some client applications (such as browsers) will reconnect using a
    downgraded protocol to work around interoperability bugs in older
    servers. This could be exploited by an active man-in-the-middle to
    downgrade connections to SSL 3.0 even if both sides of the connection
    support higher protocols. SSL 3.0 contains a number of weaknesses
    including POODLE (CVE-2014-3566).

    OpenSSL 1.0.1 users should upgrade to 1.0.1j.
    OpenSSL 1.0.0 users should upgrade to 1.0.0o.
    OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

    https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
    https://www.openssl.org/~bodo/ssl-poodle.pdf

    Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.

  • 相关阅读:
    PHP编译安装
    PHP编译安装
    Apache编译安装
    Apache编译安装
    端口号
    端口号
    初步理解TCP/IP网络
    初步理解TCP/IP网络
    剑指offer——树的子结构
    STL四种智能指针
  • 原文地址:https://www.cnblogs.com/itzxy/p/6993917.html
Copyright © 2011-2022 走看看