My site is vulnerable to the SSL FREAK attacks

my site is vulnerable to the SSL FREAK attacks.

i have a setting problem.

my setting is…
I want all request “http” --> “https”
But, some location is “https” --> “http”.
ALL Location : https
/companyBrand.do : http only

What’s problem?


map $request_uri $example_org_preferred_proto {

default “https”;
~^/mobile/rsvPayOnlyResult2.do “http”;
~^/kor/cartel.do “http”;
}

server {
listen 443 ssl;
listen 80;
server_name www.test.com;

charset utf-8;

    #ssl                  on;
    ssl_certificate      D:/nginx-1.7.10/ssl/cert.pem;
    ssl_certificate_key  D:/nginx-1.7.10/ssl/nopasswd.pem;

ssl_verify_client off;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
    ssl_prefer_server_ciphers   on;

error_page 400 /error/error.html;
error_page 403 /error/error.html;
error_page 404 /error/error.html;

if ($scheme != $example_org_preferred_proto) {
return 301 $example_org_preferred_proto://$server_name$request_uri;
}

    location / {
       proxy_set_header Host                $host;
       proxy_set_header X-Real-IP            $remote_addr;
       proxy_set_header X-Forwarded-Host    $host;
       proxy_set_header X-Forwarded-Server    $host;
       proxy_set_header X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwtestcom;
proxy_ssl_session_reuse off;
}
}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257984,257984#msg-257984

same error.
site is vulnerable to the SSL FREAK attacks.

openssl version is the problem?
openssl version is 1.02

what’s problem?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257984,258010#msg-258010

jinwon42 Wrote:

my site is vulnerable to the SSL FREAK attacks.

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;

Try these;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS:!EXP:!ADH:!LOW:!MEDIUM;

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257984,257989#msg-257989

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

What linux distribution do you use?

On el6 I use openssl-1.0.1e-30.el6
On el7 I use openssl-1.0.1e-42.el7.4.x86_64

https://kb.iweb.com/entries/90860777-Security-vulnerabilities-in-OpenSSL

  • -FREAK-CVE-2015-0204-and-more

Red hat using their own packages versioning (CMIIW), it might be vary
with your linux distro. And how do you test your site againts FREAK
attacks?

On 4/14/2015 08:28, jinwon42 wrote:

[email protected] http://mailman.nginx.org/mailman/listinfo/nginx

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVLHqOAAoJEF1+odKB6YIxupIIAI+bCplE9ixsIb1SDAXDJriC
MDBc8RfCM72V/a6Lm6FpFxd1mJiMYs93zSGNkD34VrkHRABAf0DrL3tMD276dn3G
r/9QtrHYfw9A78p/6juZVsQ6tPWPcRPRvRFdXp1M8KUO64pR8JgWCrIxoFAzwNJ0
jj+UMElZAo4+xFsEXndHlRBb4BGb5nOXkG9cXkN9PvjEX3g4EDeAViayqZnJtxCd
yORGa4cWgld+HOxPWCSd3rHrxLy9rCaudhhFKPqX+ziRSX4Eq85r9dAnxHxzKg3b
kDn3w8ixpc/CqaRA0DvANMB2xc9IXGAR7P/rOkw5MyGO3Foh9w6JVQcsH1JCipU=
=AKo2
-----END PGP SIGNATURE-----

sorry.

my server is windows server.

windows + nginx1.7.10 + tomcat

Openssl 1.02 updates have been completed.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257984,258012#msg-258012

my server is windows server.

windows + nginx1.7.10 + tomcat
Openssl 1.02 updates have been completed.

How, are you recompiling nginx on your own? Nginx
binary comes bundled with openssl, not sure you
are able to update openssl on your own. Get nginx
1.7.12, it bundles withopenssl-1.0.1m.

Lukas

i was update nginx-1.7.12 version.
but, same error.

What error? How exactly do you come to the
conclusion that your site is vulnerable?

sorry

i was update nginx-1.7.12 version.
but, same error.

windows + nginx1.7.12 + tomcat.

my site is no HSTS.Is this a problem?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257984,258016#msg-258016

i testing this site, “https://tools.keycdn.com/freak

result message : Vulnerable! The domain www.ktkumhorent.com:443 is
vulnerable to the SSL FREAK attacks.

Right, also see:
https://www.ssllabs.com/ssltest/analyze.html?d=ktkumhorent.com

Your site is extremely vulnerable, it even allows SSLv2, very weak
ciphers, and is generally vulnerable to a huge number of old issues
that are supposed to be fixed a long time ago.

It does not match your configuration, so there must be a different
proxy, software or other MITM acting as HTTPS server in between.

Check your network.

i testing this site, “https://tools.keycdn.com/freak

result message : Vulnerable! The domain www.ktkumhorent.com:443 is
vulnerable to the SSL FREAK attacks.

Do I need to reboot server?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,257984,258019#msg-258019

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs