我刚刚在我的一个域名上安装了 Let's Encrypt 的 SSL 证书。一切正常,Chrome 上显示绿色锁图标。但为了确保万无一失,我在 ssllabs.com 上检查了该域名。令我惊讶的是,它的评级最低,为 F。看来我的服务器容易受到 OpenSSL CCS 漏洞 (CVE-2014-0224) 的攻击。
我的服务器运行的是 Ubuntu 14.04。我尝试更新软件包并安装新版本的 OpenSSL。
sudo apt-get update
sudo apt-get install openssl libssl-dev
我找不到任何新更新,所以我从源代码构建了它。但是现在我有了最新版本,当我在 SSLLabs 上检查域名时,我没有看到任何差异,它仍然被评为 F。
$ openssl version
OpenSSL 1.0.2f 28 Jan 2016
我应该怎么做才能一劳永逸地修复此漏洞?
谢谢。
答案1
CVE-2014-0224 已于 2014 年 6 月修补。
运行apt-get changelog openssl | grep -A10 0224
以确保无误。
$ apt-get changelog openssl | grep -A10 0224
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
sending finished ssl/s3_clnt.c.
-- Marc Deslauriers <[email protected]> Fri, 20 Jun 2014 13:57:48 -0400
openssl (1.0.1-4ubuntu5.15) precise-security; urgency=medium
* SECURITY UPDATE: regression with tls_session_secret_cb (LP:
#1329297)
- debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
tls_session_secret_cb for session resumption in ssl/s3_clnt.c.
-- Marc Deslauriers <[email protected]> Thu, 12 Jun 2014 08:30:56 -0400
openssl (1.0.1-4ubuntu5.14) precise-security; urgency=medium
* SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment
- debian/patches/CVE-2014-0195.patch: add consistency check for DTLS
fragments in ssl/d1_both.c.
- CVE-2014-0195
--
- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c,
ssl/ssl3.h.
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
secrets in ssl/s3_pkt.c.
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
ssl/s3_clnt.c.
- CVE-2014-0224 * SECURITY UPDATE: denial of service via ECDH null session cert
- debian/patches/CVE-2014-3470.patch: check session_cert is not NULL
before dereferencing it in ssl/s3_clnt.c.
- CVE-2014-3470
-- Marc Deslauriers <[email protected]> Mon, 02 Jun 2014 14:05:34 -0400
openssl (1.0.1-4ubuntu5.13) precise-security; urgency=medium
* SECURITY UPDATE: denial of service via use after free