PCI-DSS标准之SSL Weak Encryption Algorithms解决方法
Posted in java by admin on 09-04-2009. PCI信用卡支付标准中弱点扫描对SSL的加密强度有要求,中级漏洞中是不能使用SSLv2级别的加密,而低级漏洞中直接报告加密强度不够。那么,该如何补救呢?
中级漏洞好补,如果系统是Apache,那就ssl中配置SSLProtocol -ALL +SSLv3 +TLSv。如果是Tomcat,最好前面加个前置Pound,在Pound中设置ssl代理,加密强度Ciphers "HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"即可。如果是resin,等会说。
低级漏洞,如果是apache,那就SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL即可。
接下来说Resin,可怜的Resin啊,Resin缺省支持两种SSL方式,openssl和jsse-ssl,如果用openssl,可以提高加密强度,但是(重要),但是,这样根本无法应用于生产环境,网站的速度会慢到无法忍受的地步,会被客户大量投诉。没办法,只能使用jsse-ssl,Resinjsse-ssl的配法比较复杂,下面说一下配法:
1. Resin必须是最新的professional的版本3.1.9,貌似3.1.6以上的版本才支持jsse-ssl中Ciphers的配置。
2. Java1.6的配置:
Java1.6必须配置成支持256的高加密强度:下载jce-policy-6.zip和jsse-1_0_3_04-gl.zip,把jsse-1_0_3_04-gl.zip解压出来的jcert.jar jnet.jar jsse.jar放入JAVA_HOME/jre/lib/ext目录下,把jce-policy-6.zip解压出来的local_policy.jar和US_export_policy.jar放入JAVA_HOME/jre/lib/security,替换掉原来的文件。
import java.io.*;
import java.security.*;
import javax.net.ssl.*;
import java.util.regex.*;
public class h {
public static void main(String[] args) {
try {
SSLServerSocket sslSocket;
SSLServerSocketFactory sslSrvFact =
(SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
sslSocket =(SSLServerSocket)sslSrvFact.createServerSocket(8181);
int port = sslSocket.getLocalPort();
String [] cipherSuites = sslSocket.getEnabledCipherSuites();
for(int i = 0; i < cipherSuites.length; i++){
System.out.println("Cipher Suite " + i +" = " + cipherSuites[i]);
}
sslSocket.close();
} catch (Exception e) {
System.out.println("Exception" + e);
}
}
}
运行结果如果显示256的字样就成功了。
Cipher Suite 0 = SSL_RSA_WITH_RC4_128_MD5
Cipher Suite 1 = SSL_RSA_WITH_RC4_128_SHA
Cipher Suite 2 = TLS_RSA_WITH_AES_128_CBC_SHA
Cipher Suite 3 = TLS_RSA_WITH_AES_256_CBC_SHA
Cipher Suite 4 = TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Cipher Suite 5 = TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Cipher Suite 6 = TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Cipher Suite 7 = TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Cipher Suite 8 = SSL_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite 9 = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Cipher Suite 10 = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Cipher Suite 11 = SSL_RSA_WITH_DES_CBC_SHA
Cipher Suite 12 = SSL_DHE_RSA_WITH_DES_CBC_SHA
Cipher Suite 13 = SSL_DHE_DSS_WITH_DES_CBC_SHA
Cipher Suite 14 = SSL_RSA_EXPORT_WITH_RC4_40_MD5
Cipher Suite 15 = SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
Cipher Suite 16 = SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
Cipher Suite 17 = SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
运行openssl找出高强度加密方式对应的java ciphers
openssl ciphers -v 'HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL'
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
基本匹配的就三个:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
3. Resin3.1.9的配置:
<http port="443">
<jsse-ssl>
<key-store-type>jks</key-store-type>
<key-store-file>mykey.key</key-store-file>
<password>mykey</password>
<cipher-suites>TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
</jsse-ssl>
</http>OK,这样就解决了,累死也。
Popularity: 71% [?]