背景
由于服务器端的重新密钥协商的开销至少是客户端的10倍,因此攻击者可利用这个过程向服务器发起拒绝服务攻击。OpenSSL 1.0.2及以前版本受影响。
方法
使用OpenSSL(linux系统基本都自带)连接服务器进行测试:
- openssl s_client -connect ip:port
- HEAD / HTTP/1.0
- R
示例
服务器443端口开启重协商,使用openssl s_client -connect 172.31.0.22:443 连接测试(删除了部分证书信息):
[root@localhost ~]# openssl s_client -connect 172.31.0.22:443 CONNECTED(00000003) depth=0 CN = HTTPS-Self-Signed-Certificate verify error:num=18:self signed certificate verify return:1 depth=0 CN = HTTPS-Self-Signed-Certificate verify return:1 --- Certificate chain 0 s:/CN=HTTPS-Self-Signed-Certificate i:/CN=HTTPS-Self-Signed-Certificate --- Server certificate -----BEGIN CERTIFICATE----- ...... -----END CERTIFICATE----- subject=/CN=HTTPS-Self-Signed-Certificate issuer=/CN=HTTPS-Self