My site is vulnerable to the SSL FREAK attacks

musicdenotation · April 13, 2015, 9:51am

my site is vulnerable to the SSL FREAK attacks.

i have a setting problem.

my setting is…
I want all request “http” → “https”
But, some location is “https” → “http”.
ALL Location : https
/companyBrand.do : http only

What’s problem?

map $request_uri $example_org_preferred_proto {

default “https”;
~^/mobile/rsvPayOnlyResult2.do “http”;
~^/kor/cartel.do “http”;
}

server {
listen 443 ssl;
listen 80;
server_name www.test.com;

charset utf-8;

    #ssl                  on;
    ssl_certificate      D:/nginx-1.7.10/ssl/cert.pem;
    ssl_certificate_key  D:/nginx-1.7.10/ssl/nopasswd.pem;

ssl_verify_client off;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
    ssl_prefer_server_ciphers   on;

error_page 400 /error/error.html;
error_page 403 /error/error.html;
error_page 404 /error/error.html;

if ($scheme != $example_org_preferred_proto) {
return 301 $example_org_preferred_proto://$server_name$request_uri;
}

    location / {
       proxy_set_header Host                $host;
       proxy_set_header X-Real-IP            $remote_addr;
       proxy_set_header X-Forwarded-Host    $host;
       proxy_set_header X-Forwarded-Server    $host;
       proxy_set_header X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_pass http://wwwtestcom;
proxy_ssl_session_reuse off;
}
}

Posted at Nginx Forum:

jinwon42 · April 14, 2015, 3:28am

same error.
site is vulnerable to the SSL FREAK attacks.

openssl version is the problem?
openssl version is 1.02

what’s problem?

Posted at Nginx Forum:

jinwon42 · April 13, 2015, 1:12pm

jinwon42 Wrote:

my site is vulnerable to the SSL FREAK attacks.
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;

Try these;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS:!EXP:!ADH:!LOW:!MEDIUM;

Posted at Nginx Forum:

jinwon42 · April 14, 2015, 4:26am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

What linux distribution do you use?

On el6 I use openssl-1.0.1e-30.el6
On el7 I use openssl-1.0.1e-42.el7.4.x86_64

https://kb.iweb.com/entries/90860777-Security-vulnerabilities-in-OpenSSL

-FREAK-CVE-2015-0204-and-more

Red hat using their own packages versioning (CMIIW), it might be vary
with your linux distro. And how do you test your site againts FREAK
attacks?

On 4/14/2015 08:28, jinwon42 wrote:

[email protected] nginx Info Page

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVLHqOAAoJEF1+odKB6YIxupIIAI+bCplE9ixsIb1SDAXDJriC
MDBc8RfCM72V/a6Lm6FpFxd1mJiMYs93zSGNkD34VrkHRABAf0DrL3tMD276dn3G
r/9QtrHYfw9A78p/6juZVsQ6tPWPcRPRvRFdXp1M8KUO64pR8JgWCrIxoFAzwNJ0
jj+UMElZAo4+xFsEXndHlRBb4BGb5nOXkG9cXkN9PvjEX3g4EDeAViayqZnJtxCd
yORGa4cWgld+HOxPWCSd3rHrxLy9rCaudhhFKPqX+ziRSX4Eq85r9dAnxHxzKg3b
kDn3w8ixpc/CqaRA0DvANMB2xc9IXGAR7P/rOkw5MyGO3Foh9w6JVQcsH1JCipU=
=AKo2
-----END PGP SIGNATURE-----

jinwon42 · April 14, 2015, 8:00am

sorry.

my server is windows server.

windows + nginx1.7.10 + tomcat

Openssl 1.02 updates have been completed.

Posted at Nginx Forum:

jinwon42 · April 14, 2015, 9:34am

my server is windows server.

windows + nginx1.7.10 + tomcat
Openssl 1.02 updates have been completed.

How, are you recompiling nginx on your own? Nginx
binary comes bundled with openssl, not sure you
are able to update openssl on your own. Get nginx
1.7.12, it bundles withopenssl-1.0.1m.

Lukas

jinwon42 · April 14, 2015, 11:11am

i was update nginx-1.7.12 version.
but, same error.

What error? How exactly do you come to the
conclusion that your site is vulnerable?

jinwon42 · April 14, 2015, 10:27am

sorry

i was update nginx-1.7.12 version.
but, same error.

windows + nginx1.7.12 + tomcat.

my site is no HSTS.Is this a problem?

Posted at Nginx Forum:

jinwon42 · April 14, 2015, 11:55am

i testing this site, “SSL FREAK Test - Verify CVE-2015-0204 Vulnerability | KeyCDN Tools”

result message : Vulnerable! The domain www.ktkumhorent.com:443 is
vulnerable to the SSL FREAK attacks.

Right, also see:
https://www.ssllabs.com/ssltest/analyze.html?d=ktkumhorent.com

Your site is extremely vulnerable, it even allows SSLv2, very weak
ciphers, and is generally vulnerable to a huge number of old issues
that are supposed to be fixed a long time ago.

It does not match your configuration, so there must be a different
proxy, software or other MITM acting as HTTPS server in between.

Check your network.

jinwon42 · April 14, 2015, 11:41am

i testing this site, “SSL FREAK Test - Verify CVE-2015-0204 Vulnerability | KeyCDN Tools”

result message : Vulnerable! The domain www.ktkumhorent.com:443 is
vulnerable to the SSL FREAK attacks.

Do I need to reboot server?

Posted at Nginx Forum: