TITLE: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
We need to add DES and 3DES in /etc/httpd/conf.modules.d/ssl.conf file in order to disable it.
Look for SSLCipherSuite line
[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
[root@test ~]#
Modify like below
[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES:!3DES
[root@test ~]#
CVEID: CVE-2016-2183
Look for SSLCipherSuite line
[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
[root@test ~]#
Modify like below
[root@test ~]# grep SSLCipherSuite /etc/httpd/conf.modules.d/ssl.conf
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!DES:!3DES
[root@test ~]#
Restart the required services for the port which u got vulnerability.
The following openssl commands can be used to do a manual test:
openssl s_client -connect ip:port -cipher "DES:3DES" -ssl2
openssl s_client -connect ip:port -cipher "DES:3DES" -ssl3
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_1
openssl s_client -connect ip:port -cipher "DES:3DES" -tls1_2
[root@test ~]# openssl s_client -connect 10.10.10.1:443 -cipher "DES:3DES" -tls1_2
CONNECTED(00000003)
140592171460512:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140592171460512:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1499085145
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
[root@test ~]#
excellent; Thank you;
ReplyDeleteGot some valuable inputs on DES support.
Linux Stuffs: Cve-2016-2183 : Disable And Stop Using Des And 3Des Ciphers In Apache >>>>> Download Now
ReplyDelete>>>>> Download Full
Linux Stuffs: Cve-2016-2183 : Disable And Stop Using Des And 3Des Ciphers In Apache >>>>> Download LINK
>>>>> Download Now
Linux Stuffs: Cve-2016-2183 : Disable And Stop Using Des And 3Des Ciphers In Apache >>>>> Download Full
>>>>> Download LINK