通过POODLE SSL漏洞保护Thrift服务器
[英]Securing a Thrift server aginst the POODLE SSL vulnerability
问题描述
In order to secure my Thrift server against the recently discovered SSLv3 vulnerability , I explicitly stated which protocols should be enabled for the server socket: 
为了保护Thrift服务器免受最近发现的SSLv3漏洞的侵害 ,我明确说明了应为服务器套接字启用哪些协议:
TServerSocket socket = TSSLTransportFactory.getServerSocket(...);
SSLServerSocket sslServerSocket = (SSLServerSocket) socket.getServerSocket;
sslServerSocket.setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
However, even though a check using the TestSSLServer lists only TLSv1.1 and TLSv1.2, I'm still able to connect with OpenSSL using SSLv3: 但是,即使使用TestSSLServer进行的检查仅列出了TLSv1.1和TLSv1.2,我仍然能够使用SSLv3与OpenSSL连接:
openssl s_client -connect localhost:1111 -ssl3
How can I entirely disable SSLv3 on Thrift, so it fails during the SSL handshake already? 我如何在Thrift上完全禁用SSLv3,以使其在SSL握手期间已经失败?
1 个解决方案
解决方案1
2 已采纳 2014-10-20 14:43:03
It seems I misinterpreted the openssl client output. 看来我误解了openssl客户端输出。 Even though there is CONNECTED(00000003) on the first line, the error message follows: 即使第一行上有CONNECTED(00000003) , CONNECTED(00000003)出现错误消息:
140535757866656:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
It is, therefore, not possible to connect to the server; 因此,无法连接到服务器。 the code snippet presented in the question works fine. 问题中显示的代码段工作正常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.