文章目錄

漏洞危害:RC4 算法存在缺陷,它能够在某些情况下泄露SSL/TLS加密流量中的密文,从而将账户用户名密码,信用卡数据和其他敏感信息泄露给黑客。

漏洞评级: 高

修复建议:禁用RC4算法 2015-1-5 开始 github 已经停止支持RC4 算法了。禁用RC4会导致IE6无法访问

检测方式:linux shell下执行: openssl s_client -connect ys7.com:443 -cipher RC4

[root@localhost ~]# openssl s_client -connect ys7.com:443 -cipher RC4
CONNECTED(00000003)
140184490301256:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 82 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

返回alert handshake failure: 说明不支持rc4算法。
返回证书相关信息说明支持RC4.如下:

[root@localhost ~]# openssl s_client -connect adobe.com:443 -cipher RC4
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 International Server CA - G3
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = Adobe Systems Incorporated, OU = IT Load Balancer Service, CN = www.adobe.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=Adobe Systems Incorporated/OU=IT Load Balancer Service/CN=www.adobe.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgIQUpTiPwuMEg3M1gB/pbuYwDANBgkqhkiG9w0BAQUFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt

参考资料:
http://www.freebuf.com/news/62301.html
https://sobug.com/article/detail/17

个人微信公众号

文章目錄