Posted on March 16th, 2018
Posted on March 14th, 2017
Posted on November 7th, 2014
該弱點 Apache Tomcat Default Error Page Version Detection
意思是在 tomcat 的預設錯誤頁會呈現 Tomcat 版本, 可能讓攻擊者得知該版本有什麼弱點並藉此攻擊
這個弱點修復要替換 jar 檔 catalina.jar
中的檔案: org/apache/catalina/util/ServerInfo.properties
原本這行是: server.info=Apache Tomcat/7.042
把版本號拿掉變成: server.info=Apache Tomcat
如附件截圖, 修改後就不會在 Default Error Page 出現 Tomcat 版本
Posted on October 23rd, 2014
修改檔案 Tomcat7\conf\server.xml
在 connector
增加 attribute: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
, 並拿掉 cipher 中非 TLS 的項
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="tomcat.keystore" keystorePass="intumit"
ciphers="SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="tomcat.keystore" keystorePass="intumit"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2-win
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Compiled against OpenSSL 0.9.8m 25 Feb 2010
Testing SSL server 10.254.1.233 on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 128 bits ADH-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 128 bits IDEA-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Accepted SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 128 bits IDEA-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Accepted TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
SSLv3 128 bits DHE-RSA-AES128-SHA
TLSv1 128 bits DHE-RSA-AES128-SHA
SSL Certificate:
Version: 2
Serial Number: -4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: 馬賽克
Not valid before: Feb 19 07:35:50 2014 GMT
Not valid after: Feb 19 07:35:50 2016 GMT
Subject: 馬賽克
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ad:e3:69:8a:78:d3:f3:fa:0d:60:33:ca:fe:25:
94:9b:1e:04:85:36:10:ac:76:63:82:62:61:f8:f5:
eb:0d:31:69:8c:80:54:91:3e:b5:a3:25:05:0a:22:
5e:5e:b1:c9:fa:9c:a6:08:71:3c:09:dc:22:7a:ee:
56:96:2c:b3:57:88:02:b0:9f:7b:7d:72:e7:79:bf:
1f:d6:a0:85:3f:b0:10:c3:dc:46:86:1c:e4:51:c8:
7c:d4:c2:fb:42:f7:6e:b3:63:f1:6c:2a:38:7a:29:
35:16:5a:ee:ff:a2:eb:31:0b:40:7e:96:66:8f:f2:
ac:5b:29:8b:33:74:cd:84:4b
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Subject Key Identifier:
8B:E6:57:28:9C:DE:99:FE:A6:95:15:89:10:5C:85:AC:6F:3D:CB:90
X509v3 Authority Key Identifier:
keyid:0C:CE:36:BA:EB:3D:14:35:D7:C5:C3:CA:59:8B:27:81:8F:59:CD:6F
X509v3 CRL Distribution Points:
URI:馬賽克
URI:馬賽克
Authority Information Access:
CA Issuers - URI:馬賽克
CA Issuers - URI:馬賽克
1.3.6.1.4.1.311.20.2:
...W.e.b.S.e.r.v.e.r
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Verify Certificate:
self signed certificate in certificate chain
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2-win
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Compiled against OpenSSL 0.9.8m 25 Feb 2010
Testing SSL server blahblah.com on port 443
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Failed SSLv3 256 bits ADH-AES256-SHA
Failed SSLv3 256 bits DHE-RSA-AES256-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-SHA
Failed SSLv3 256 bits AES256-SHA
Failed SSLv3 128 bits ADH-AES128-SHA
Failed SSLv3 128 bits DHE-RSA-AES128-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-SHA
Failed SSLv3 128 bits AES128-SHA
Failed SSLv3 168 bits ADH-DES-CBC3-SHA
Failed SSLv3 56 bits ADH-DES-CBC-SHA
Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Failed SSLv3 128 bits ADH-RC4-MD5
Failed SSLv3 40 bits EXP-ADH-RC4-MD5
Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Failed SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 56 bits DES-CBC-SHA
Failed SSLv3 40 bits EXP-DES-CBC-SHA
Failed SSLv3 128 bits IDEA-CBC-SHA
Failed SSLv3 40 bits EXP-RC2-CBC-MD5
Failed SSLv3 128 bits RC4-SHA
Failed SSLv3 128 bits RC4-MD5
Failed SSLv3 40 bits EXP-RC4-MD5
Failed SSLv3 0 bits NULL-SHA
Failed SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 168 bits DES-CBC3-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 128 bits IDEA-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
TLSv1 128 bits DHE-RSA-AES128-SHA
Posted on September 4th, 2014
C:\j2sdk1.4.2_05\bin>keytool -genkey -alias mykey( 別名 :可自設) -validity 720( 效期 ) -keyalg RSA -keysize 1024 -keystore tomcat.keystore(產出的 keystore檔名) -storepass mypassword( 密碼自設 ) –keypass mypassword(密碼自設)
一般名字與姓名會輸入該網站的 daman,若測試輸入localhost即可,其他資訊看客戶是否有要求,否則隨意填即可。
C:\j2sdk1.4.2_05\bin>keytool -certreq -alias mykey(Step1 設定的別名 ) -file cert.csr(產出的csr 檔名 ) -keystore tomcat.keystore (Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )
匯出的憑證內容
利用 CSR檔產回CRE 憑證檔進行匯入。
此時,請確認客戶產出 CRE檔的程式,是否有根憑證或中繼憑證,若有麻煩先匯入根憑證及中繼憑證,否則會無法匯入憑證。
方法 1: 根憑證及中繼憑證匯入Java Security ,再匯入產出的 CRE憑證檔
C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias tomcat( 別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit(jre預設密碼是 changeit)
C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )
方法 2:直接匯入keystore( 依信任關係,由最上層憑證,依序往下安裝 )
C:\j2sdk1.4.2_05\bin> keytool -import -alias mykey(別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore tomcat .keystore(Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )
C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )
匯入完成的訊息
1.如果客戶是自己認證沒經過第三方大廠,匯入客戶的根憑證及中繼憑證是一定要的,不然匯不進去。
2.記得要改成 protocol="org.apache.coyote.http11.Http11Protocol"
,APR 的方式測試都不成功,等有人成功可以分享一下。
3.查詢keystore 資訊語法
keytool -list -keystore tomcat.keystore(Step1 產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )
感謝 Nick 教學
Notes from my experience.