今天突然扫出漏洞来了,漏洞是ssl的 SSL/TLS 服务器瞬时 Diffie-Hellman 公共密钥过弱 引起的,上网搜索结果,但是这次网上的大神真的是往坑里带,说要在springboot的配置文件中添加配置如下(错误的配置):
server.ssl.enabled-protocols[3]=TLSv1,TLSv1.1,TLSv1.2
server.ssl.ciphers[10]=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
结果呢,这样配置了以后就报上面的错误了,项目也无法启动,后来经过自己模式测试,应该将配置改成这样就行了:
server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
#server.ssl.ciphers[10]=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
具体报错如下,
***************************
APPLICATION FAILED TO START
***************************
Description:
Binding to target [Bindable@2b30b627 type = java.lang.String[], value = 'provided', annotations = array<Annotation>[[empty]]] failed:
Property: server.ssl.enabled-protocols[3]
Value: TLSv1,TLSv1.1,TLSv1.2
Origin: class path resource [application-pro.properties]:26:33
Reason: The elements [server.ssl.enabled-protocols[3]] were left unbound.
Action:
Update your application's configuration