개요
취약점
CVE-2016-2183
| The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. |
솔루션
| Disable and stop using DES, 3DES, IDEA or RC2 ciphers. More information can be found at Sweet32, Microsoft Windows TLS changes docs and Microsoft Transport Layer Security (TLS) registry settings |
해소 방법
ssl.conf 설정 변경을 통해 DES, 3DES, IDEA or RC2 ciphers 비활성
| 변경전 | SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 |
|---|---|
| 변경 후 | SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES:!3DES |
확인 방법
$ openssl s_client -connect 10.10.10.1:443 -cipher "DES:3DES" -tls1_2
CONNECTED(00000003)
140592171460512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140592171460512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1499085145
Timeout : 7200 (sec)
Verify return code: 0 (ok)