1、原由
最近使用nessus扫描一款Web服务软件,发现了四个漏洞,如下:
SSL Version 2 and 3 Protocol detection
SSLv3 Padding Oracle On Downgrade Legacy Encryption Vulnerability(POODLE)
SSL Weak Cipher Suites Supports
SSL/TLS EXPORT_RAS<512-bit Cipher Suites Supported(FREAD)
2、漏洞分析
对每个显示的漏洞点击进去后,发现产生漏洞的端口号:8843
使用以下命令查找得到进程名:
netstat -ano | findstr "8843" #得到进程的PID
tasklist | findstr “PID" #得到进程名
确认问题是因为Tomcat引起的漏洞。
3、解决方案
经过查找tomcat配置ssl协议,得知需要配置tomcat/conf/server.xml文件,里面与SSL协议相关的部分如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="conf/tomcat.keystore" keystorePass="123456"
truststoreFile="conf/tomcat.keystore" truststorePass="123456"/>
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="conf/tomcat.keystore" keystorePass="123456"
truststoreFile="conf/tomcat.keystore" truststorePass="123456"/>
上面显示已经将当前的tomcat使用的是TLS协议,但是一直不生效,
经过同事的帮助,发现了下面的一段话:
rmeisen:The answers will vary depending on your Tomcat and Java versions, and if you are usingJSSE verses AJP. The differences are assubtle
as
sslProtocols=TLSv1
verses sslProtocol="TLS"
(Notice that s
).
Specifying your Tomcat &Java versions will save you from insanity.
于是将配置修改如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocols="TLSv1"
keystoreFile="conf/tomcat.keystore" keystorePass="123456"
truststoreFile="conf/tomcat.keystore" truststorePass="123456"/>
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocols="TLSv1"
keystoreFile="conf/tomcat.keystore" keystorePass="123456"
truststoreFile="conf/tomcat.keystore" truststorePass="123456"/>
再次扫描,发现漏洞:
SSL Version 2 and 3 Protocol detection 、
SSLv3 Padding Oracle On Downgrade Legacy Encryption Vulnerability(POODLE)
已经
解决。
继续做如下修改:
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocols="TLSv1"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
keystoreFile="conf/tomcat.keystore" keystorePass="123456"
truststoreFile="conf/tomcat.keystore" truststorePass="123456"/>
剩下的两个漏洞也消失啦。
以后修改配置的时候,一定要注意不同版本的tomcat及jdk的配置之前的差异。
引用相关链接:http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat