Shulou(Shulou.com)06/01 Report--

We have just learned about SSLv3-Poodle * * from OpenSSL's official website. Please pay attention to it. For more information, please visit https://www.openssl.org/~bodo/ssl-poodle.pdf

This vulnerability runs through all SSLv3 versions. By using this vulnerability, you can successfully obtain transmitted data (such as cookies) by using similar methods such as man-in-the-middle * * (as long as both ends of the hijacked data encryption use SSL3.0). As of the post, no patches have been released.

WoSign recommends that you turn off client-side SSLv3 support, or turn off server SSLv3 support, or both.

Turn off server SSLv3 support:

Nginx:

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2

Ssl_prefer_server_ciphers on

Ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256

SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE

RSAMuAES128FUSALLLV RC4MUBE SARAPHUAES128US128USLAV RC4MUBG SHAV aNULLRO eNULLV EXPORTOR "DESOR" 3DESIN "MD5RV" DSSRAPOR PKS

Ssl_session_timeout 5m

Ssl_session_cache builtin:1000 shared:SSL:10m

Apache:

SSLProtocol all-SSLv2-SSLv3

SSLHonorCipherOrder on

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256

SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE

RSAcopyright AES128Mutual SHAVOR RC4MUBE SAMULAR A NULLRO MD5RU DSS

Turn off client SSLv3 support:

Google has said that chorme browsers have technologically blocked browsers from automatically downgrading to SSL3.0 links. Manually turn off the methods supported by SSL 3.0.

Windows users:

1) completely close the Chrome browser

2) copy a shortcut that normally opens the Chrome browser

3) right-click on the new shortcut to enter the properties

4) enter the following command at the end of the field in the space after "destination"-- ssl-version-min=tls1

Mac OS X users:

1) completely close the Chrome browser

2) find the terminal that comes with this machine (Terminal)

3) enter the following command: / Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome-- ssl-version-min=tls1

Linux users:

1) completely close the Chrome browser

2) enter the following command in the terminal: google-chrome-ssl-version-min=tls1

Firefox browser users can enter about: settings by entering about:config in the address bar and then adjusting security.tls.version.min to 1.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.