问题描述
我正在尝试减轻我们对 Poodle SSL 3.0 回退的脆弱性攻击.我们的管理员已经开始禁用 SSL,转而使用 TLS 来连接到我们的服务器.我们还建议我们的团队在他们的网络浏览器中禁用 SSL.我现在正在查看我们的 .NET 代码库,它通过 System.Net.HttpWebRequest.我相信如果这些连接允许从 TLS 回退到 SSL,它们可能容易受到 MITM 攻击.这是我迄今为止所确定的.有人可以仔细检查一下以确认我是对的吗?这个漏洞是全新的,所以我还没有看到微软关于如何在 .NET 中缓解它的任何指导:
I am trying to mitigate our vulnerability to the Poodle SSL 3.0 Fallback attack. Our admins have already started disabling SSL in favor of TLS for inbound connections to our servers. And we have also advised our team to disable SSL in their web browsers. I'm now looking at our .NET codebase, which initiates HTTPS connections with various services through System.Net.HttpWebRequest. I believe that these connections could be vulnerable to a MITM attack if they allow fallback from TLS to SSL. Here is what I have determined so far. Could some one please double-check this to verify that I am right? This vulnerability is brand new, so I have yet to see any guidance from Microsoft on how to mitigate it in .NET:
支持 .NET 安全通信的 System.Net.Security.SslStream 类允许的协议通过 System.Net.ServicePointManager.SecurityProtocol 为每个 AppDomain 全局设置财产.
The allowed protocols for the System.Net.Security.SslStream class, which underpins secure communication in .NET, are set globally for each AppDomain via the System.Net.ServicePointManager.SecurityProtocol property.
.NET 4.5 中此属性的默认值为 Ssl3 |Tls
(虽然我找不到支持它的文档.)SecurityProtocolType 是一个带有 Flags 属性的枚举,所以它是这两个值的按位 OR.您可以使用以下代码行在您的环境中检查这一点:
The default value of this property in .NET 4.5 is Ssl3 | Tls
(although I can't find documentation to back that up.) SecurityProtocolType is an enum with the Flags attribute, so it's a bitwise OR of those two values. You can check this in your environment with this line of code:
Console.WriteLine(System.Net.ServicePointManager.SecurityProtocol.ToString());
在您的应用程序中启动任何连接之前,这应该更改为 Tls
,或者可能是 Tls12
:
This should be changed to just Tls
, or perhaps Tls12
, before you initiate any connections in your app:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls;
重要提示:由于该属性支持多个按位标志,我假设 SslStream 在握手期间不会自动回退到其他未指定的协议.否则,支持多个标志有什么意义?
Important: Since the property supports multiple bitwise flags, I assume that the SslStream will not automatically fallback to other unspecified protocols during handshake. Otherwise, what would be the point of supporting multiple flags?
TLS 1.0 与 1.1/1.2 的更新:
根据 Google 安全专家 Adam Langley 的说法,后来发现 TLS 1.0 存在漏洞POODLE,如果没有正确实现,所以你应该考虑专门迁移到 TLS 1.2.
According to Google security expert Adam Langley, TLS 1.0 was later found to be vulnerable to POODLE if not implemented correctly, so you should consider moving to TLS 1.2 exclusively.
.NET Framework 4.7 及更高版本的更新:
正如下面的 Prof Von Lemongargle 所暗示的,从 .NET Framework 4.7 版开始,无需使用此 hack 作为默认设置将允许操作系统选择最安全的 TLS 协议版本.请参阅使用 .NET Framework 的传输层安全 (TLS) 最佳实践 了解更多信息.
As alluded to by Prof Von Lemongargle below, starting with version 4.7 of the .NET Framework, there is no need to use this hack as the default setting will allow the OS to choose the most secure TLS protocol version. See Transport Layer Security (TLS) best practices with the .NET Framework for more information.
推荐答案
我们正在做同样的事情.要仅支持 TLS 1.2 而没有 SSL 协议,您可以这样做:
We are doing the same thing. To support only TLS 1.2 and no SSL protocols, you can do this:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
SecurityProtocolType.Tls 只是 TLS 1.0,并非所有 TLS 版本.
SecurityProtocolType.Tls is only TLS 1.0, not all TLS versions.
作为一个方面:如果您想检查您的站点是否不允许 SSL 连接,您可以在这里进行(我认为这不会受到上述设置的影响,我们不得不编辑注册表以强制 IIS将 TLS 用于传入连接):https://www.ssllabs.com/ssltest/index.html
As a side: If you want to check that your site does not allow SSL connections, you can do so here (I don't think this will be affected by the above setting, we had to edit the registry to force IIS to use TLS for incoming connections):https://www.ssllabs.com/ssltest/index.html
要在 IIS 中禁用 SSL 2.0 和 3.0,请参阅此页面:https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
To disable SSL 2.0 and 3.0 in IIS, see this page: https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
这篇关于禁用 SSL 回退并仅将 TLS 用于 .NET 中的出站连接?(贵宾犬缓解)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!