一、CVE-2016-2183
1、管理接口漏洞
(1) 获取管理地址支持的密码套件
[root@localdns3:Active:Standalone] config # tmsh list sys httpd ssl-ciphersuite
sys httpd {
ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256
}
(2)在所支持的密码套件中禁用 3DES 密码,在上一步输出的密码套件后加 :!3DES
[root@localdns3:Active:Standalone] config # tmsh modify sys httpd ssl-ciphersuite "ssl-ciphersuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:!3DES"
(3)修改ssl协议,禁用低版本ssl协议
[root@localdns3:Active:Standalone] config # tmsh modify sys httpd ssl-protocol "all -SSLv2 -SSLv3 -TLS v1"
(4)保存配置
[root@localdns3:Active:Standalone] config # tmsh save sys config
2、业务端口漏洞
(1)查看 ssl profile 证书密码套件
[root@localhost:Active:Standalone] config # tmsh list ltm profile client-ssl test_clientssl ciphers
ltm profile client-ssl test_clientssl {
ciphers DEFAULT
}
(2)修改 ssl profile ,在所支持的密码套件中禁用 3DES 密码,在上一步输出的密码套件后加 :!3DES 。
[root@localhost:Active:Standalone] config # tmsh modify ltm profile client-ssl test_clientssl ciphers "DEFAULT:!3DES"
(3)保存配置
[root@localdns3:Active:Standalone] config # tmsh save sys config
3、相关官方文档
https://support.f5.com/csp/article/K13167034
二、SSL/TLS 服务器瞬时 Diffie-Hellman 公共密钥过弱
(1)查看 ssl profile 证书密码套件
[root@localhost:Active:Standalone] config # tmsh list ltm profile client-ssl test_clientssl ciphers
ltm profile client-ssl test_clientssl {
ciphers DEFAULT
}
(2)修改 ssl profile ,在所支持的密码套件中禁用 DHE 密码,在上一步输出的密码套件后加 :!DHE 。
[root@localhost:Active:Standalone] config # tmsh modify ltm profile client-ssl test_clientssl ciphers "DEFAULT:!DHE"
(3)保存配置
[root@localdns3:Active:Standalone] config # tmsh save sys config
请问 这是什么程序源码啊