beego禁用3DES和DES弱加密算法--SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】（二）

目录

程序代码

nmap重新扫描

程序代码

用beego起的一个 https 服务，被扫描出了漏洞（SSL/TLS协议信息泄露漏洞(CVE-2016-2183)），需要禁用DES加密算法

参考源码，解决方法如下：

beego.Run()前添加

ciphers := []uint16{
		tls.TLS_AES_128_GCM_SHA256,
		tls.TLS_CHACHA20_POLY1305_SHA256,
		tls.TLS_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
}
beego.BeeApp.Server.TLSConfig = &tls.Config{PreferServerCipherSuites: true}
beego.BeeApp.Server.TLSConfig.CipherSuites = ciphers

nmap重新扫描

需自行安装nmap

nmap -sV -p 扫描端口 --script ssl-enum-ciphers 扫描IP

扫描后加密算法中已踢出DES

root@ip:~# nmap -sV -p 443 --script ssl-enum-ciphers ip

Starting Nmap 7.60 ( https://nmap.org ) at 2022-07-06 11:32 CST
Nmap scan report for ip
Host is up (0.000044s latency).

PORT    STATE SERVICE   VERSION
443/tcp open  ssl/https beegoServer:2.0.0
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Access-Control-Allow-Credentials: true
|     Access-Control-Allow-Headers: Access-Control-Allow-Origin,ContentType,Authorization,accept,accept-encoding, authorization, content-type, token
|     Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS
|     Access-Control-Allow-Origin: *
|     Access-Control-Max-Age: 1728000
|     Server: beegoServer:2.0.0
|     Date: Wed, 06 Jul 2022 03:32:42 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=utf-8
|     {"result":"SESSION_OUT","resultMsg":"token must not null","retData":null}
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request
|_http-server-header: beegoServer:2.0.0
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.60%T=SSL%I=7%D=7/6%Time=62C5025A%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,209,"HTTP/1\.0\x20200\x20OK\r\nAccess-Control-Allow-Creden
SF:tials:\x20true\r\nAccess-Control-Allow-Headers:\x20Access-Control-Allow
SF:-Origin,ContentType,Authorization,accept,accept-encoding,\x20authorizat
SF:ion,\x20content-type,\x20token\r\nAccess-Control-Allow-Methods:\x20POST
SF:,\x20GET,\x20PUT,\x20OPTIONS\r\nAccess-Control-Allow-Origin:\x20\*\r\nA
SF:ccess-Control-Max-Age:\x201728000\r\nServer:\x20beegoServer:2\.0\.0\r\n
SF:Date:\x20Wed,\x2006\x20Jul\x202022\x2003:32:42\x20GMT\r\nContent-Length
SF::\x2073\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\n{\"resu
SF:lt\":\"SESSION_OUT\",\"resultMsg\":\"token\x20must\x20not\x20null\",\"r
SF:etData\":null}")%r(HTTPOptions,209,"HTTP/1\.0\x20200\x20OK\r\nAccess-Co
SF:ntrol-Allow-Credentials:\x20true\r\nAccess-Control-Allow-Headers:\x20Ac
SF:cess-Control-Allow-Origin,ContentType,Authorization,accept,accept-encod
SF:ing,\x20authorization,\x20content-type,\x20token\r\nAccess-Control-Allo
SF:w-Methods:\x20POST,\x20GET,\x20PUT,\x20OPTIONS\r\nAccess-Control-Allow-
SF:Origin:\x20\*\r\nAccess-Control-Max-Age:\x201728000\r\nServer:\x20beego
SF:Server:2\.0\.0\r\nDate:\x20Wed,\x2006\x20Jul\x202022\x2003:32:42\x20GMT
SF:\r\nContent-Length:\x2073\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\n\r\n{\"result\":\"SESSION_OUT\",\"resultMsg\":\"token\x20must\x2
SF:0not\x20null\",\"retData\":null}")%r(FourOhFourRequest,209,"HTTP/1\.0\x
SF:20200\x20OK\r\nAccess-Control-Allow-Credentials:\x20true\r\nAccess-Cont
SF:rol-Allow-Headers:\x20Access-Control-Allow-Origin,ContentType,Authoriza
SF:tion,accept,accept-encoding,\x20authorization,\x20content-type,\x20toke
SF:n\r\nAccess-Control-Allow-Methods:\x20POST,\x20GET,\x20PUT,\x20OPTIONS\
SF:r\nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x20172
SF:8000\r\nServer:\x20beegoServer:2\.0\.0\r\nDate:\x20Wed,\x2006\x20Jul\x2
SF:02022\x2003:32:42\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\n\r\n{\"result\":\"SESSION_OUT\",\"result
SF:Msg\":\"token\x20must\x20not\x20null\",\"retData\":null}")%r(GenericLin
SF:es,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.80 seconds
root@iZ254d5laqgZ:~# ^C
root@iZ254d5laqgZ:~# ls
kh  tools
root@iZ254d5laqgZ:~# 
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-177-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
New release '20.04.4 LTS' available.
Run 'do-release-upgrade' to upgrade to it.