Cve-2016-2183 repair process, pro test effective

Time:2021-5-3
  1. Problem description

SSL / TLS protocol information disclosure vulnerability (cve-2016-2183)

TLS is a secure transport layer protocol used to provide confidentiality and data integrity between two communication applications.
DES and triple des passwords used in TLS, SSH, IPSec negotiation and other products have a birthday boundary of about 4 billion blocks, which enables remote attackers to obtain pure text data through sweet32 attack.

2. Problem solving process

First of all, we can learn from this vulnerability introduction

There is no such vulnerability after OpenSSL 1.1.0, and the local version of OpenSSL is higher than 1.1.0

Find the problem in a different way

Through the following link to learn about nmap scanning tool, you can know the source of the vulnerability (retest)

For nmap installation mode, please refer to Baidu separately (the server of the case is RedHat, the RPM package downloaded from the official website, and the RPM – IVH package is successfully installed)

Get the result with the following command
nmap -sV –script ssl-enum-ciphers -p 443 www.example.com (IP is also OK)

Cve-2016-2183 repair process, pro test effective

It is found that 3DES encryption is C-level, and there is a warning, which is roughly consistent with the description of cve-2016-2183

3. Problem solving

By configuring the settings of nginx, SSL_ ciphers HIGH:! aNULL:! MD5:! 3DES;
Note:! 3DES is a post added filter

Then nginx – t checks the configuration file
Nginx – s reload restart nginx

4. Retest
nmap -sV –script ssl-enum-ciphers -p 443 www.example.com (IP is also OK)

Cve-2016-2183 repair process, pro test effective

Problem solving