½Ã½ºÅÛ°ü¸®ÀÚÀÇ ½°ÅÍ Ä¿ÇǴнº Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
 FAQFAQ   °Ë»ö°Ë»ö   ¸â¹ö¸®½ºÆ®¸â¹ö¸®½ºÆ®   »ç¿ëÀÚ ±×·ì»ç¿ëÀÚ ±×·ì   »ç¿ëÀÚ µî·ÏÇϱâ»ç¿ëÀÚ µî·ÏÇϱâ 
 °³ÀÎ Á¤º¸°³ÀÎ Á¤º¸   ºñ°ø°³ ¸Þ½ÃÁö¸¦ È®ÀÎÇÏ·Á¸é ·Î±×ÀÎÇϽʽÿÀºñ°ø°³ ¸Þ½ÃÁö¸¦ È®ÀÎÇÏ·Á¸é ·Î±×ÀÎÇϽʽÿÀ   ·Î±×Àηα×ÀΠ

°¡ÀÔ¾øÀÌ ´©±¸³ª ±ÛÀ» ¾µ ¼ö ÀÖ½À´Ï´Ù. °øÁö»çÇ׿¡ ´ëÇÑ ´ñ±Û±îÁöµµ..




BBS >> ¼³Ä¡, ¿î¿µ Q&A | ³×Æ®¿÷, º¸¾È Q&A | ÀÏ¹Ý Q&A || Á¤º¸¸¶´ç | AWS || ÀÚÀ¯°Ô½ÃÆÇ | ±¸Àα¸Á÷ || °øÁö»çÇ× | ÀÇ°ßÁ¦½Ã
OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼­ Heartbleed±îÁö

 
±Û ¾²±â   ´äº¯ ´Þ±â    Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ °Ô½ÃÆÇ À妽º -> *NIX / IT Á¤º¸
ÀÌÀü ÁÖÁ¦ º¸±â :: ´ÙÀ½ ÁÖÁ¦ º¸±â  
±Û¾´ÀÌ ¸Þ½ÃÁö
truefeel
Ä«Æä °ü¸®ÀÚ


°¡ÀÔ: 2003³â 7¿ù 24ÀÏ
¿Ã¸° ±Û: 1277
À§Ä¡: ´ëÇѹα¹

¿Ã¸®±â¿Ã·ÁÁü: 2015.6.16 È­, 4:40 pm    ÁÖÁ¦: OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼­ Heartbleed±îÁö Àοë°ú ÇÔ²² ´äº¯

OpenSSLÃë¾àÁ¡ÀÌ ÀÛ³âºÎÅÍ ¹«´õ±â·Î ½ñ¾ÆÁö°í ÀÖ½À´Ï´Ù. ¡±×·¯¿ï Á¤µµÁÒ. óÀ½¿¡ Çѵΰ³ ³ª¿Ã ¶§´Â Ãë¾àÁ¡¸í°ú ±× Ãë¾àÁ¡ÀÌ ¾î¶² °ÍÀÎÁö ¿¬°áÀÌ µÇ¾î¾ú´Âµ¥, Á¡Á¡ ´Ã¾î³ª´Ùº¸´Ï Çò°¥¸³´Ï´Ù. ±×·¡¼­ Heartbleed Ãë¾àÁ¡, POODLE Ãë¾àÁ¡, FREAK Ãë¾àÁ¡ ¾ó¸¶Àü¿¡ ³ª¿Â Logjam Ãë¾àÁ¡±îÁö °£´ÜÈ÷ Á¤¸®ÇغýÀ´Ï´Ù.
Ãë¾àÁ¡ ¿©ºÎ¸¦ üũÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀ» º°µµ·Î Àû¾ú½À´Ï´Ù.



1. OpenSSL Logjam Ãë¾àÁ¡ (2015.5.)


TLSÇÁ·ÎÅäÄÝÀÇ Ãë¾àÁ¡À¸·Î °ø°ÝÀÚ°¡ Àӽà Diffie-Hellman Å° ±³È¯(Diffie-Hellman key exchange)À» »ç¿ëÇÏ¿© TLS¿¬°áÀ» 512ºñÆ® ¼öÃâµî±Þ ¾Ïȣȭ·Î ´Ù¿î±×·¹À̵åÇÒ ¼ö ÀÖ´Ù.

OpenSSL 1.0.2 : ÆÐÄ¡µÈ ¹öÀü 1.0.2bÀÌ»ó
OpenSSL 1.0.1 : ÆÐÄ¡µÈ ¹öÀü 1.0.1nÀÌ»ó

OpenSSL 1.0.1°ú 1.0.2´ëÀÇ ¹öÀüº° ÇØ°áÃ¥À» º¸¸é.
- 1.0.1°ú 1.0.2 : DH ÆĶó¹ÌÅÍ°¡ 768ºñÆ®º¸´Ù ª´Ù¸é handshake¸¦ °ÅºÎÇϵµ·Ï TLSŬ¶óÀ̾ðÆ®¿¡ ´ëÇÑ º¸È£ ±â´ÉÀ» Ãß°¡Çß´Ù.
- 1.0.2bÀÌ»ó, 1.0.1nÀÌ»ó : À§ Á¦ÇÑÀ» 1024ºñÆ®±îÁö Áõ°¡Çß´Ù.
- 1.0.1mÀÌ»ó, 1.0.2aÀÌ»ó : EXPORT cipher suite(Áï, ¼öÃâµî±Þ ¾ÏÈ£)¸¦ ±âº»ÀûÀ¸·Î disableÇß´Ù.

Àοë:

1) Ãë¾àÁ¡ ¿©ºÎ È®ÀÎÇϱâ
¹Ýµå½Ã openssl 1.0.2 client¸¦ »ç¿ëÇØ¾ß Server Temp Key: °ªÀ» º¼ ¼ö ÀÖ´Ù. Server Temp Key: °ªÀÌ 1024ºñÆ®°Å³ª ÀÌÇÏÀ̸é 2048ºñÆ® DH parameter¸¦ »ý¼ºÇÑ´Ù. (1024ºñÆ®°¡ ¹Ýµå½Ã Ãë¾àÇÏ´Ù´Â °ÍÀº ¾Æ´Ï°í, ¹Ý´ë·Î ¾ÈÀüÇÑ °Íµµ ¾Æ´Ï´Ù. ¿À´Ã³¯ °°ÀÌ PC ¿¬»ê±â´ÉÀÌ ÁÁÀº °æ¿ì 1024ºñÆ® ¾ÏÈ£¸¦ ºü¸¥ ½Ã°£³»¿¡ Ç® ¼ö ÀÖ´Ù´Â °ÍÀÓ. ±×·¡¼­ 2048ºñÆ®¸¦ ±ÇÀå)

$ openssl s_client -connect ¼­¹ö:433 - cipher EDH

2) apache ¼³Á¤
$ openssl dhparam -out dhparam.pem 2048

»ý¼ºµÈ DH parameter¸¦ SSLCertificateFile ¿¡ ÀûÈù ÆÄÀÏ ¸ÇµÚ¿¡ ºÙÀδÙ.
cat dhparam.pem >> /path/to/sslcertfile

±×·±µ¥, apache 2.4.7ÀÌÀü ¹öÀüÀº DH parameter°¡ Ç×»ó 1024ºñÆ®·Î ¼ÂÆõǾî ÀÖ°í, »ç¿ëÀÚ°¡ À̸¦ ¹Ù²Ü ¼ö ¾ø´Ù.
RHEL 6(CentOS 6)ÀÇ apache 2.2¹öÀüÀº 2.4.7°ÍÀ» ¹éÆ÷ÆÃÇؼ­ ¼ÂÆÃÀÌ °¡´ÉÇÏ´Ù.

3) nginx ¼³Á¤
$ openssl dhparam -out dhparam.pem 2048

nginx.conf¿¡ ´ÙÀ½ Ãß°¡
ssl_dhparam /path/to/dhparam.pem;


ÀÚ¼¼ÇÑ Á¤º¸´Â ´ÙÀ½ ±ÛÀ».
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
http://www.openssl.org/news/secadv_20150611.txt
https://access.redhat.com/ko/articles/1480443 (ÇѱÛ)

À¥¼­¹ö ¼³Á¤°ú °ü·Ã¿¡¼­´Â Guide to Deploying Diffie-Hellman for TLS ( https://weakdh.org/sysadmin.html )±ÛÀÌ °¡Àå Á¤¸®°¡ Àß µÈ °Í °°´Ù.


2. OpenSSL FREAK Ãë¾àÁ¡ (2015.3.)

°ú°Å ¹Ì±¹Àº ¾Ïȣȭ ±â¼ú¿¡ ´ëÇØ ÇØ¿Ü ¼öÃâÀ» Á¦ÇÑÇß´Ù. ±×·¡¼­ ÇØ¿Ü¿¡ ¾Ïȣȭ ±â¼úÀ» ¼öÃâÇÏ·Á¸é ³·Àº ¼öÁØÀÎ 512ºñÆ® ¾Ïȣȭ(RSA EXPORT)¸¸ »ç¿ëÇÒ ¼ö ÀÖ¾ú´Ù. ÀÌÈÄ 2000³â¿¡ ¹Ì±¹Àº ÀÌ ¼öÃâÁ¦ÇÑÀ» ¾ø¾Ý´Ù.

ÇöÀç´Â 2048ºñÆ® ÀÌ»óÀÇ ¾Ïȣȭ Å°¸¦ ¸¹ÀÌ »ç¿ëÇÑ´Ù. ±×·±µ¥, ¼öÃâÁ¦ÇÑÀÌ ¾ø¾îÁøÁö 10¿©³âÀÌ Áö³µ´Âµ¥µµ OpenSSL¿¡ ¼öÃâµî±Þ ¾Ïȣȭ ±â´ÉÀÌ ±×´ë·Î ³²¾ÆÀÖ¾ú´Ù. FREAK(Factoring attack on RSA-EXPORT Keys)¶ó°í ºÒ¸®´Â Ãë¾àÁ¡Àº °ø°ÝÀÚ°¡ 512ºñÆ®ÀÇ ³·Àº ¼öÁØÀÇ ¼öÃâµî±Þ ¾ÏÈ£¸¦ ¿äûÇÒ ¼ö°¡ ÀÖ´Ù.

OpenSSL 1.0.1 : ÆÐÄ¡µÈ ¹öÀü 1.0.1k
OpenSSL 1.0.0 : ÆÐÄ¡µÈ ¹öÀü 1.0.0p
OpenSSL 0.9.8 : ÆÐÄ¡µÈ ¹öÀü 0.9.8zd

Àοë:

1) Ãë¾àÁ¡ ¿©ºÎ È®ÀÎÇϱâ
$ openssl s_client -connect ¼­¹ö:433 - cipher EXPORT

2) apache ¼³Á¤ : SSLCipherSuite ¿¡ !EXP ¶Ç´Â !EXPORT¸¦ Ãß°¡ÇÑ´Ù.
(¿¹) SSLCipherSuite HIGH:!aNULL:!MD5:!EXP

3) nginx ¼³Á¤ : !EXPORT¸¦ Ãß°¡ÇÑ´Ù.
(¿¹) ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT;



3. OpenSSL POODLE Ãë¾àÁ¡ (SSLv3 Ãë¾àÁ¡, 2014.10.)

POODLE(Padding Oracle On Downgraded Legacy Encryption)À̶ó°í ºÒ¸®´Â Ãë¾àÁ¡Àº SSL 3.0 ¹öÀü¿¡ Á¸ÀçÇÏ´Â Ãë¾àÁ¡ÀÌ´Ù. °ø°ÝÀÚ°¡ Æеù ¿À¶óŬ °ø°Ý(ÀÌ°Ô ¹ºÁö ¸ð¸§)À» ÇÏ¿© ¾Ïȣȭ Åë½ÅÀ» Çص¶ÇÒ ¼ö ÀÖ´Ù.

Poodle Ãë¾àÁ¡Àº ÇÁ·ÎÅäÄÝ ÀÚü °áÇÔÀÌ ¾Æ´Ï¶ó ±¸Çö»óÀÇ ¹®Á¦¿©¼­ ÆÐÄ¡°¡ ¾Æ´Ñ ¼³Á¤ º¯°æÀ¸·Î ÇØ°áÇÑ´Ù. SSL v3¸¸ ÇØ´çµÇ°í TLSÀº Ãë¾àÇÏÁö ¾Ê´Ù. µû¶ó¼­ SSL v3¸¦ »ç¿ëÇÏÁö ¾Êµµ·Ï ¼³Á¤ÇØÁÖ¸é µÈ´Ù.

Àοë:

1) Ãë¾àÁ¡ ¿©ºÎ È®ÀÎÇϱâ
$ openssl s_client -connect ¼­¹ö:443 -ssl2 (-ssl2 ¿É¼ÇÀº Áö¿øÇÏÁö ¾ÊÀ» ¼ö ÀÖÀ½)
$ openssl s_client -connect ¼­¹ö:443 -ssl3

2) apache ¼³Á¤ : SSLProtocol¿¡¼­ -SSLv3¸¦ Ãß°¡ÇÑ´Ù.
(¿¹) SSLProtocol all -SSLv2 -SSLv3

3) nginx ¼³Á¤ : TLS¸¸ Çã¿ë
(¿¹) ssl_protocols TLSv1.2 TLSv1.1 TLSv1;


ÀÚ¼¼ÇÑ Á¤º¸´Â ´ÙÀ½ ±ÛÀ».
https://access.redhat.com/ko/node/1256013 (ÇѱÛ)


4. OpenSSL Heartbleed Ãë¾àÁ¡ (2014.4.)

OpenSSL 1.0.1¹öÀü¿¡ TLS heartbeat Ãë¾àÁ¡(Àϸí Heartbleed Bug¶ó°í ºÎ¸§. CVE-2014-0160, openssl: information disclosure in handling of TLS heartbeat extension packets)ÀÌ ÀÖ´Ù. °ø°ÝÀÚ°¡ https¼­¹öÀÇ ¸Þ¸ð¸® 64KB µ¥ÀÌÅ͸¦ º¼ ¼ö ÀÖ´Ù. ¸Þ¸ð¸®¿¡´Â https¼­¹ö¿Í À¯Àú°£¿¡ ÁÖ°í ¹ÞÀº µ¥ÀÌÅ͵é(ID/PW, ... µîÀÇ Á¤º¸)ÀÌ Àִµ¥, °ø°ÝÀÚ´Â plain textÇüÅ·Πº¼ ¼ö ÀÖ´Ù. ±×¸®°í,SSL °³ÀÎÅ°¸¦ ¾òÀ» ¼ö.

ÀÚ¼¼ÇÑ Á¤º¸´Â ´ÙÀ½ ±ÛÀ».
http://coffeenix.net/bbs/viewtopic.php?t=8239


------------------------------------------------------------------------------------------------------------
5. openssl ¸í·ÉÀ¸·Î °£´ÜÈ÷ Ãë¾àÁ¡ ¿©ºÎ üũ

¡Ø Âü°í : openssl·Î ÀÎÁõ¼­ Á¤º¸ »ìÆ캸±â (2008.12.)

1-1) SSLv3°¡ Çã¿ëµÈ °æ¿ì

ÄÚµå:

$ openssl s_client -connect ¼­¹ö:443 -ssl3
CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
...»ý·«...
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA <-- SSLv3 Áö¿øÇÏ´Â °æ¿ì.


1-2) SSLv3°¡ Çã¿ëµÇÁö ¾ÊÀº °æ¿ì (¾ÈÀü)

ÄÚµå:

$ openssl s_client -connect ¼­¹ö:443 -ssl3
CONNECTED(00000003)
140289569347264:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
140289569347264:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000 <-- SSLv3 Áö¿øÇÏÁö ¾ÊÀ½.


2-1) ¼öÃâ¿ë ¾Ïȣȭ°¡ Çã¿ëµÈ °æ¿ì (ÀÎÁõ¼­ Á¤º¸°¡ Ç¥½ÃµÊ. º¸¾È»ó Ãë¾à)

ÄÚµå:

$ openssl s_client -connect ¼­¹ö:443 -cipher EXPORT
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, ... »ý·« ...
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
...»ý·«...
SSL handshake has read 4798 bytes and written 201 bytes


2-3) ¼öÃâ¿ë ¾Ïȣȭ°¡ Çã¿ëµÇÁö ¾Ê´Â °æ¿ì (¾ÈÀü)

ÄÚµå:

$ openssl s_client -connect ¼­¹ö:443 -cipher EXPORT
CONNECTED(00000003)
139768004437696:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 75 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---


3-1) logjam¿¡ Ãë¾àÇÑ °æ¿ì (¹Ýµå½Ã openssl 1.0.2 client·Î Å×½ºÆ®ÇØ¾ß Server Temp Key: °ªÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù)

ÄÚµå:

$ openssl s_client -connect ¼­¹ö:443 -cipher EDH
... »ý·« ...
Server Temp Key: DH, 1024 bits <--- 1024ºñÆ®À̰ųª ³·´Ù¸é 2048ºñÆ® DH parameter¸¦ »ç¿ëÇϵµ·Ï ¼ÂÆÃÇÑ´Ù.

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
... »ý·« ...


3-2) logjam Ãë¾àÁ¡¿¡ ¾ÈÀüÇÑ °æ¿ì

ÄÚµå:

$ openssl s_client -connect ¼­¹ö:443 -cipher EDH
CONNECTED(00000003)
139828320765632:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 145 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
À§·Î
»ç¿ëÀÚ Á¤º¸ º¸±â ºñ¹Ð ¸Þ½ÃÁö º¸³»±â ±Û ¿Ã¸°ÀÌÀÇ À¥»çÀÌÆ® ¹æ¹®
ÀÌÀü ±Û Ç¥½Ã:   
±Û ¾²±â   ´äº¯ ´Þ±â    Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ °Ô½ÃÆÇ À妽º -> *NIX / IT Á¤º¸ ½Ã°£´ë: GMT + 9 ½Ã°£(Çѱ¹)
ÆäÀÌÁö 1 Áß 1

 
°Ç³Ê¶Ù±â:  
»õ·Î¿î ÁÖÁ¦¸¦ ¿Ã¸± ¼ö ÀÖ½À´Ï´Ù
´ä±ÛÀ» ¿Ã¸± ¼ö ÀÖ½À´Ï´Ù
ÁÖÁ¦¸¦ ¼öÁ¤ÇÒ ¼ö ¾ø½À´Ï´Ù
¿Ã¸° ±ÛÀ» »èÁ¦ÇÒ ¼ö ¾ø½À´Ï´Ù
ÅõÇ¥¸¦ ÇÒ ¼ö ¾ø½À´Ï´Ù


Powered by phpBB © 2001, 2005 phpBB Group