°³¿ä
- ÇÁ¶û½º ±¹¸³ ¿¬±¸¼Ò(INRIA) ¹× MSÞä¿¡¼´Â SSLÀ» ÅëÇØ °Á¦·Î Ãë¾àÇÑ RSA·Î ´Ù¿î ±×·¹ÀÌµå ½Ãų ¼ö ÀÖ´Â Ãë¾àÁ¡À» ¹ß°ß
¡Ø CVE-2015-0204 : OpenSSL s3_clnt.cÀÇ ssl3_get_key exchange ÇÔ¼ö¿¡¼ ¹ß»ýÇÏ´Â Ãë¾àÁ¡À¸·Î °ø°ÝÀÚ°¡ MITM(Man In The Middle Attack)À» ÅëÇØ 512ºñÆ® RSA·Î ´Ù¿î ±×·¹ÀÌµå ½ÃÄÑ Á¤º¸¸¦ À¯Ãâ½Ãų ¼ö ÀÖ´Â Ãë¾àÁ¡
ÇØ´ç ½Ã½ºÅÛ
- ¿µÇâÀ» ¹Þ´Â ½Ã½ºÅÛ
- Openssl 0.9.8 ´ë 0.9.8zd ÀÌÀü ¹öÀü
- Openssl 1.0.0 ´ë 1.0.0p ÀÌÀü ¹öÀü
- Openssl 1.0.1 ´ë 1.0.1k ÀÌÀü ¹öÀü
- ÀÌ ¹Û¿¡ Ãë¾àÇÑ OpenSSLÀ» »ç¿ëÇÑ Apple, Google, MSÞä µîÀÇ Á¦Ç°
[OpenSSL ¹öÀü È®ÀÎ ¸í·É¾î]
openssl version
[Ãë¾àÁ¡ È®ÀÎ ¸í·É¾î]
openssl s_client -connect [À¥»çÀÌÆ®¸í]:443 -cipher EXPORT
'alert handshake failure'°¡ µ¹¾Æ¿À¸é Ãë¾àÁ¡¿¡ ¾ÈÀüÇÑ »óÅÂ
'Certificate chain'ÀÌ µ¹¾Æ¿À¸é °ø°Ý¿¡ ³ëÃâµÇ¾î ÀÖ´Â »óÅÂ
[Ãë¾àÁ¡ ´ëÀÀ ¹æ¹ý]
OpenSSL 0.9.8zd ¹Ì¸¸ -> OpenSSL 0.9.8ze ¾÷µ¥ÀÌÆ®
OpenSSL 1.0.0 ¹öÀüÀÇ 1.0.0p ¹Ì¸¸ -> OpenSSL 1.0.0q ¾÷µ¥ÀÌÆ®
OpenSSL 1.0.1 ¹öÀüÀÇ 1.0.1k ¹Ì¸¸ -> OpenSSL 1.0.1l ¾÷µ¥ÀÌÆ®
¹öÀü ¾÷±×·¹À̵尡 ¾î·Á¿î °æ¿ì, OpenSSL 'RSA_EXPORT Cipher Suites'¸¦ Áö¿øÇϰųª Ŭ¶óÀ̾ðÆ®·Î 'RSA_EXPORT suite'¸¦ Àü¼ÛÇÒ ¼ö ÀÖ´Â ¸ðµç ±â´ÉÀ» ºñÈ°¼ºÈ ½Ãų °ÍÀ» ±ÇÀå
¡Ø https://mozilla.github.io/server-side-tls/ssl-config-generator/ »çÀÌÆ®¸¦ Âü°íÇÏ¿© ±ÇÀå»çÇ×À¸·Î ¼³Á¤
[Client ´ëÀÀÃ¥]
Internet Explorer : 3.10ÆÐÄ¡¹ßÇ¥
Chrome : v41 ÆÐÄ¡¿Ï·á
Safari : 3.10 ÆÐÄ¡¹ßÇ¥
Android Browser : Ãë¾à
[À¥ ºê¶ó¿ìÀú ÆÐÄ¡ ¿©ºÎ È®ÀÎ]
freakattack.com »çÀÌÆ®¿¡ Á¢¼ÓÇßÀ» ¶§ »¡°£»öÀ¸·Î "Warning" ¹®±¸°¡ ³ª¿À¸é ÆÐÄ¡°¡ ÀÌ·ïÁöÁö ¾ÊÀº »óÅÂÀ̸ç, ÃÊ·Ï»öÀ¸·Î "Good News"¶ó´Â ¹®±¸°¡ ³ª¿À¸é ÆÐÄ¡°¡ ¿Ï·áµÈ »óÅÂÀÔ´Ï´Ù.
- Âü°í»çÀÌÆ®
- https://freakattack.com/
|