我们安装的FRPS服务被网络信息安全扫描出 TLS协议信息泄露漏洞(CVE-2016-2183)，需要怎么解决？

fatedier / frp

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.

Apache License 2.0

86.18k stars 13.33k forks source link

我们安装的FRPS服务被网络信息安全扫描出 TLS协议信息泄露漏洞(CVE-2016-2183)，需要怎么解决？ #3973

Closed zgh419566 closed 7 months ago

zgh419566 commented 9 months ago

Describe the feature request

我安装了frps服务，暴露在公网上，之前一直被信安通报主机已失陷（被攻击）后面通过证书对报文做了TLS加密，终于可以正常使用现在信安又通报存在TLS协议信息泄露漏洞(CVE-2016-2183)，这种需要怎么解决？

信安的扫描图片如下 FRP SSL TLS协议信息泄露漏洞(CVE-2016-2183)

Describe alternatives you've considered

网上找到一篇对golang规避该漏洞的方法，供作者参考。

golang CVE-2016-2183漏洞，https需要添加tls设置加密算法CipherSuites白名单，将弱加密算法DES和3DES去掉。

Affected area

[ ] Docs
[ ] Installation
[ ] Performance and Scalability
[X] Security
[ ] User Experience
[ ] Test and Release
[ ] Developer Infrastructure
[ ] Client Plugin
[ ] Server Plugin
[ ] Extensions
[ ] Others

zgh419566 commented 9 months ago

I fixed this issue https://blog.csdn.net/zgh419566/article/details/136055490

orce frp use tls1.2 only when set TLS mode avoid to use 3des algorithm

64-bit block cipher 3DES vulnerable to SWEET32 attack

user can scan it by nmap below: nmap -sV -p 7000 --script ssl-enum-ciphers x.x.x.x

PaperStrike commented 8 months ago

Go 1.17+ 应当已经把 DES 从安全套件列表剔除。所以只需要解决 go 为了兼容旧项目默认套件并非安全套件的问题，不需要每个上层开发者维护安全的算法列表。https://github.com/golang/go/issues/41476

base.CipherSuites = tls.CipherSuites() // <- Secure suites only

github-actions[bot] commented 7 months ago

Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

feipinxiang commented 4 months ago

Go 1.17+ 应当已经把 DES 从安全套件列表剔除。所以只需要解决 go 为了兼容旧项目默认套件并非安全套件的问题，不需要每个上层开发者维护安全的算法列表。golang/go#41476
base.CipherSuites = tls.CipherSuites() // <- Secure suites only

frp目前版本0.58.1。只能自己修改代码重新打包是么？