Repair OpenSSL FREAK Vulnerability bug steps under Linux

Source: Internet
Author: User
Tags md5 openssl

Repair method:

1: Upgrade the latest version of OpenSSL, restart the corresponding service. #比如OpenSSL的1.0.1 of users should upgrade to 1.0.2
2: Modify the SSL encryption algorithm: (Nginx conf:ssl_ciphers all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;)
Nginx modified to Ssl_ciphers high:!anull:! md5:! export56:! EXP;
httpd modified to Sslciphersuite high:!anull:! md5:! export56:! BX7
3: Restart the corresponding service.

Vulnerability test:

[Root@localhost ~]# OpenSSL s_client-connect www.111cn.net:443-cipher EXPORT
CONNECTED (00000003)
Depth=3 C = IL, O = ### Ltd., OU = Secure Digital certificate signing, CN = ### Certification Authority
Verify Return:1
depth=2 C = cn, O = ### Limited, cn = CA \e6\b2\83\###\e8\af\81\e4\b9\a6
Verify Return:1
Depth=1 C = cn, O = ### CA Limited, CN = CA \e6\b2\83\e9\80###\81\e4\b9\a6
Verify Return:1
Depth=0 Description = \e5\85\8d\e8\b4\b####\af\81\e4\b9\a6 \e7\94\b3\e8\###\91\e5\9d\80\ef\bc\9ahttps://####.com, CN = mail.####.com
Verify Return:1
---
Certificate chain
0 s:/description=\xe5\x85\x8d\## #F \x81\xe4\xb9\xa6 \xe7\x94\xb3\xe8\xaf\xb7\xe7\xbd\x91\xe5\x9d\x80\xef\xbc\ X9ahttps://buy.wosign.com/cn=mail.####.com
I:/c=cn/o=wosign CA Limited/cn=ca \xe6\xb2\x83\####\x8d\xe8\xb4\xb9ssl\xe8\xaf\x81\xe4\xb9\xa6
1 s:/c=cn/o=wosign CA Limited/cn=ca \xe6\xb2\x83\xe9\###\x8d\xe8\xb4\xb9ssl\xe8\xaf\x81\xe4\xb9\xa6
I:/c=cn/o=wosign CA Limited/cn=ca \xe6\xb2\x83\xe9\###\xb9\xe8\xaf\x81\xe4\xb9\xa6
2 s:/c=cn/o=wosign CA Limited/cn=ca \xe6\xb2\x83\xe9\x80\###\xb9\xe8\xaf\x81\xe4\xb9\xa6
i:/c=il/o=startcom ltd./ou=secure Digital Certificate signing/cn=### Certification
3 s:/c=il/o=startcom ltd./ou=secure Digital Certificate signing/cn=### certification Authority
i:/c=il/o=startcom ltd./ou=secure Digital Certificate signing/cn=### Certification
---
Server Certificate
-----BEGIN Certificate-----
###################### #FMm1PJLA9iewtlE9XETANBgkqhkiG9w0BAQUFADBM
Mqswcqydvqqgewjdtjeambgga1uechmrv29tawduienbiexpbwl0zwqxitafbgnv
bammgenbioayg+mamuwfjei0uvnttoivges5pjaefw0xndeymjuwmzi5mdlafw0x
Nteymjuwmzi5mdlamfkxpja8bgnvba0mnewfjei0uvnttoivges5pidnllpor7fn
vzhlnydvvj################################### #YDVQQDDA5tYWlsLmp1
yxn5lmnvbtccasiwdqyjkozihvcnaqebbqadggepadccaqocggebapjfjk6thr7n
C5lgnyyfesg+jmrm+hihckvl8xctouc9xfqhxptpblc+0nxgdwhphy5jslqe+mi8
K6vtb0xxp5t644p8j3/fellush1aqdaihmlwvcyha4xlnhdnii2pxqbajl7csvvu
24k0r1n5w1kmsgw354skraaa8qxy9frd8sl+8euml+51eyo+bzic0obcohfp7+i6
Fqwtzwxabxkt08kguear3gjfx1nt3hcdpksxttvxqh2xu5var77uf1j6oavxllco
Xlheteo7gyskm2iln8lvlrffncuoljjpl2cak7b0v6gk/cvnl22zhomppuqxgqnn
Pcgozuftdzccaweaaaocaauwggghmasga1uddwqeawidqdadbgnvhsuefjaubggr
Bgefbqcdagyikwybbquhawewcqydvr0tbaiwadadbgnvhq4efgqulfrekhxu6/pk
Vpb/e+kbvhzat90whwydvr0jbbgwfoau/couedflyoxunegqqq0okdwl9z4wewyi
Kwybbquhaqeebzbtmdmgccsgaqufbzabhidodhrwoi8vb2nzcdiud29zawdulmnu
####################################### #Kmh0dHA6Ly9haWEyLndvc2ln
Bi5jbi9jytiuc2vydmvyms5mcmvllmnlcja8bgnvhr8entazmdggl6athitodhrw
Oi8vy3jscziud29zawdulmnul2nhmi1zzxj2zxixlwzyzwuuy3jsmbkga1udeqqs
Mbccdm1hawwuanvhc3kuy29tmfiga1udiarlmekwcaygz4emaqibmd0gdisgaqqb
gptrawecbwecmcswkqyikwybbquhagewhwh0dha6ly93d3cud29zawdulmnvbs9w
################################## #Lhx97YtyFOlvC92qjVQWvZjZ7X8Ii
Uqbxgdkxvjt6s7aromq7tok35scdfvpgxylms2ehngxdl1gzjrqu4fydskngczql
fruvhm2jv17ydm+szy16mt8chh+fs3baoespwz0i71l7v+mgkvdmz1/stekfgs0e
######################################## #pswOZF0QVr/DOADK41OGLFG
Wac2v1kblk4jwmz5bd3yrpmthgjn04mzikilvzyolrjpp1ucuihewjsmv6wvw7fn
###############################################
-----End Certificate-----
subject=/description=\xe5\x85\x8d\xe8\xb4###### \xe7\x94\xb3\xe8\xaf\xb7\xe7\xbd\x91\xe5\x9d\x80\xef\xbc\ X9ahttps://buy.wosign.com/cn=mail.####.com
issuer=/c=cn/o=#### CA limited/cn=ca \xe6\xb2\x83\xe9\x80\x9a\x### #B4 \xb9ssl\xe8\xaf\x81\xe4\xb9\xa6
---
No client certificate CA names sent
---
SSL handshake has read 6799 bytes and written 199 bytes
---
New, Tlsv1/sslv3, Cipher is Exp-des-cbc-sha
Server public key is 2048 bit
Secure renegotiation is supported
Compression:none
Expansion:none
Ssl-session:
Protocol:tlsv1
Cipher:exp-des-cbc-sha
session-id:5343### #4FC455F26700B
Session-id-ctx:
master-key:2cca993f6######## #C6EE5A17FEA6F52D5BCA697C09A169ED59E0
Key-arg:none
Krb5 Principal:none
PSK Identity:none
PSK Identity Hint:none
Start time:1427162168
timeout:300 (SEC)
Verify return code:0 (OK)
---
Closed

after repair :

[Root@localhost ~]# OpenSSL s_client-connect www.111cn.net:443-cipher EXPORT
CONNECTED (00000003)
139642907903816:error:14077410:ssl routines:SSL23_GET_SERVER_HELLO:sslv3 Alert Handshake failure:s23_clnt.c:741:
---
No peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written bytes
---
New, (none), Cipher is (none)
Secure renegotiation is not supported
Compression:none
Expansion:none
---

Okay, did you find out that after the fix, we tested the bug and there was no bug.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.