my site is vulnerable to the SSL FREAK attacks.
i have a setting problem.
my setting is…
I want all request “http” → “https”
But, some location is “https” → “http”.
ALL Location : https
/companyBrand.do : http only
What’s problem?
map $request_uri $example_org_preferred_proto {
default “https”;
~^/mobile/rsvPayOnlyResult2.do “http”;
~^/kor/cartel.do “http”;
}
server {
listen 443 ssl;
listen 80;
server_name www.test.com;
charset utf-8;
#ssl on;
ssl_certificate D:/nginx-1.7.10/ssl/cert.pem;
ssl_certificate_key D:/nginx-1.7.10/ssl/nopasswd.pem;
ssl_verify_client off;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
ssl_prefer_server_ciphers on;
error_page 400 /error/error.html;
error_page 403 /error/error.html;
error_page 404 /error/error.html;
if ($scheme != $example_org_preferred_proto) {
return 301 $example_org_preferred_proto://$server_name$request_uri;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwtestcom;
proxy_ssl_session_reuse off;
}
}
Posted at Nginx Forum:
same error.
site is vulnerable to the SSL FREAK attacks.
openssl version is the problem?
openssl version is 1.02
what’s problem?
Posted at Nginx Forum:
jinwon42 Wrote:
my site is vulnerable to the SSL FREAK attacks.
ssl_protocols SSLv3 TLSv1;
ssl_ciphers AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
Try these;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS:!EXP:!ADH:!LOW:!MEDIUM;
Posted at Nginx Forum:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
What linux distribution do you use?
On el6 I use openssl-1.0.1e-30.el6
On el7 I use openssl-1.0.1e-42.el7.4.x86_64
https://kb.iweb.com/entries/90860777-Security-vulnerabilities-in-OpenSSL
- -FREAK-CVE-2015-0204-and-more
Red hat using their own packages versioning (CMIIW), it might be vary
with your linux distro. And how do you test your site againts FREAK
attacks?
On 4/14/2015 08:28, jinwon42 wrote:
[email protected] nginx Info Page
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVLHqOAAoJEF1+odKB6YIxupIIAI+bCplE9ixsIb1SDAXDJriC
MDBc8RfCM72V/a6Lm6FpFxd1mJiMYs93zSGNkD34VrkHRABAf0DrL3tMD276dn3G
r/9QtrHYfw9A78p/6juZVsQ6tPWPcRPRvRFdXp1M8KUO64pR8JgWCrIxoFAzwNJ0
jj+UMElZAo4+xFsEXndHlRBb4BGb5nOXkG9cXkN9PvjEX3g4EDeAViayqZnJtxCd
yORGa4cWgld+HOxPWCSd3rHrxLy9rCaudhhFKPqX+ziRSX4Eq85r9dAnxHxzKg3b
kDn3w8ixpc/CqaRA0DvANMB2xc9IXGAR7P/rOkw5MyGO3Foh9w6JVQcsH1JCipU=
=AKo2
-----END PGP SIGNATURE-----
sorry.
my server is windows server.
windows + nginx1.7.10 + tomcat
Openssl 1.02 updates have been completed.
Posted at Nginx Forum:
my server is windows server.
windows + nginx1.7.10 + tomcat
Openssl 1.02 updates have been completed.
How, are you recompiling nginx on your own? Nginx
binary comes bundled with openssl, not sure you
are able to update openssl on your own. Get nginx
1.7.12, it bundles withopenssl-1.0.1m.
Lukas
i was update nginx-1.7.12 version.
but, same error.
What error? How exactly do you come to the
conclusion that your site is vulnerable?
sorry
i was update nginx-1.7.12 version.
but, same error.
windows + nginx1.7.12 + tomcat.
my site is no HSTS.Is this a problem?
Posted at Nginx Forum:
i testing this site, “SSL FREAK Test - Verify CVE-2015-0204 Vulnerability | KeyCDN Tools”
result message : Vulnerable! The domain www.ktkumhorent.com:443 is
vulnerable to the SSL FREAK attacks.
Right, also see:
https://www.ssllabs.com/ssltest/analyze.html?d=ktkumhorent.com
Your site is extremely vulnerable, it even allows SSLv2, very weak
ciphers, and is generally vulnerable to a huge number of old issues
that are supposed to be fixed a long time ago.
It does not match your configuration, so there must be a different
proxy, software or other MITM acting as HTTPS server in between.
Check your network.
i testing this site, “SSL FREAK Test - Verify CVE-2015-0204 Vulnerability | KeyCDN Tools”
result message : Vulnerable! The domain www.ktkumhorent.com:443 is
vulnerable to the SSL FREAK attacks.
Do I need to reboot server?
Posted at Nginx Forum: