目 录CONTENT

文章目录

openssl 漏洞扫描

xlong
2024-03-24 / 0 评论 / 0 点赞 / 13 阅读 / 3491 字 / 正在检测是否收录...

openssl 漏洞扫描

使用nmap扫描漏洞

出现警告表示存在 ssl 漏洞

| warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack

[root@master1 ~]# docker run --rm -it jonlabelle/nmap --script ssl-enum-ciphers 192.168.100.200 -p 10250
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-18 05:25 UTC
Nmap scan report for 192.168.100.200
Host is up (0.00060s latency).
​
PORT      STATE SERVICE
10250/tcp open  unknown
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: C
​
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

去除kubelet 3DES的加密:

具体步骤: 以sealos部署kube1.19为例,其他请自行查阅配置

去除3DES,其他保留和之前一致

有提示 unexpected TLS cipher suite "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",去除对应加密模式

kubelet 在config.yaml 增加 tlsCipherSuites 属性

vim /var/lib/kubelet/config.yaml
​
tlsCipherSuites: [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
​
systemctl daemon-reload
systemctl restart kubelet.service


0

评论区