SSL Certificate Signed Using Weak Hashing Algorithm小电影网站
操作系统版块:Windows Server 2012 R2
弁言:惩处SSL Certificate Signed Using Weak Hashing Algorithm流程中生成文凭时聘任自签名故仍然会保留SSL Certificate Cannot Be Trusted、SSL Self-Signed Certificate问题,惩处SSL Certificate Cannot Be Trusted、SSL Self-Signed Certificate可央求官方机构颁布文凭
SSL Certificate Signed Using Weak Hashing Algorithm
SSL Certificate Signed Using Weak Hashing Algorithm
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
See Also
https://tools.ietf.org/html/rfc3279
色吧影院http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
OutputThe following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : CN=SSL_Self_Signed_Fallback Signature Algorithm : SHA-1 With RSA Encryption Valid From : Dec 17 19:04:21 2020 GMT Valid To : Dec 17 19:04:21 2050 GMT Raw PEM certificate : -----BEGIN CERTIFICATE----- MIIB + zCCAWSgAwIBAgIQetsANEKCqoZC74W4Z0idJjANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABsAGIAYQBjAGswIBcNMjAxMjE3MTkwNDIxWhgPMjA1MDEyMTcxOTA0MjFaMDsxOTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBsAGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyYE0CntRczYPDMlxdYUiCLICPQDtzC3qgf3EvS4Gy8YISvhtxZ0GFYBfxwulmPRitOzbs6BU8 / BGKCP7dJ4nwbVx6WFDKEdaHJ3j / WrFKL8KJK0nrOP2hyIwbLqke237QT6d4Hu3C4zVmO4rTAcGdvWs1PTWk7zcnnufUs6COL0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAHcHkn6n7hDfsqJcmVylQxNcBKqTbW6tYS + IbQi0Hlpd9hcqyKJ / 3NI1hAZi2 + bhlv + Eg2Wx7X11Rg4kwGCaAqGJx4rABKYx7K + H3Xyq8OUzGMcfedY7h + K / QQlbR + 1Z1tPjsmgWpPX6lhcXB0ba18qfMfyRxhEbq8gm7PEXmeHQ == -----END CERTIFICATE-----
Risk Information
Risk Factor: Medium
CVSS v3.0 Base Score 7.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v3.0 Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 6.7
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.9
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: August 18, 2004
Reference Information
CWE: 310
CERT: 836068
BID: 11849, 33065
CVE: CVE-2004-2761
证据证据
SSL Certificate Signed Using Weak Hashing Algorithm是因SSL文凭中使用的签名算法不合适IETF条件,需要重腾达成SSL文凭且SSL文凭中的签名算法、密钥长度均要注释合稳健前的IETF条件,同期字据其受影响软件情况更换受影响软件的SSL文凭。
SSL Certificate Signed Using Weak Hashing Algorithm in RDP
SSL Certificate Signed Using Weak Hashing Algorithm
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
OutputThe following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : CN=SSL_Self_Signed_Fallback Signature Algorithm : SHA-1 With RSA Encryption Valid From : Dec 17 19:04:21 2020 GMT Valid To : Dec 17 19:04:21 2050 GMT Raw PEM certificate : -----BEGIN CERTIFICATE----- MIIB + zCCAWSgAwIBAgIQetsANEKCqoZC74W4Z0idJjANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABsAGIAYQBjAGswIBcNMjAxMjE3MTkwNDIxWhgPMjA1MDEyMTcxOTA0MjFaMDsxOTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBsAGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyYE0CntRczYPDMlxdYUiCLICPQDtzC3qgf3EvS4Gy8YISvhtxZ0GFYBfxwulmPRitOzbs6BU8 / BGKCP7dJ4nwbVx6WFDKEdaHJ3j / WrFKL8KJK0nrOP2hyIwbLqke237QT6d4Hu3C4zVmO4rTAcGdvWs1PTWk7zcnnufUs6COL0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAHcHkn6n7hDfsqJcmVylQxNcBKqTbW6tYS + IbQi0Hlpd9hcqyKJ / 3NI1hAZi2 + bhlv + Eg2Wx7X11Rg4kwGCaAqGJx4rABKYx7K + H3Xyq8OUzGMcfedY7h + K / QQlbR + 1Z1tPjsmgWpPX6lhcXB0ba18qfMfyRxhEbq8gm7PEXmeHQ == -----END CERTIFICATE-----
Risk Information
Risk Factor: Medium
CVSS v3.0 Base Score 7.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v3.0 Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 6.7
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.9
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: August 18, 2004
Reference Information
CWE: 310
CERT: 836068
BID: 11849, 33065
CVE: CVE-2004-2761
Software
RDP
操作措施
考据存在SSL Certificate Signed Using Weak Hashing Algorithm
开启费力桌面稽查费力桌面文凭,看到文凭的签名算法是SHA1RSA,公钥长度为RSA(2048 Bits)
图片
图片
图片
图片
图片
通过测试RDP打听流程考据RDP SSL文凭签名算法为SHA1RSA、签名哈希算法为SHA1
搜索或下载文凭器具小电影网站
搜索自有makecert.exe和pvk2pfx.exe或下载我的共享资源
生成文凭
将makecert.exe和pvk2pfx.exe拷贝到C:/Windows/System32目次下并在面前目次下启动Windows PowerShellcd C:\Windows\System32
启动makecert生成文凭,指定文凭的签名算法SHA256RSA,公钥长度为RSA(2048 Bits)makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048
输入Private Key Password,为安闲复杂度条件缔造为8位以上数字、字母、特等字符组合
图片
图片
领导信息,凯旋时领导SucceededPS C:\Windows\System32> makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048 Succeeded
启动pvk2pfx字据pvk文凭导出pfx样式文凭,-pi参数后接缔造的Private Key Passwordpvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
领导信息,凯旋时无领导信息PS C:\Windows\System32> pvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
导入文凭
大开料理为止台mmc
图片
文献–>添加/删除料理单元–>可用的料理单元–>文凭–>添加–>操办机账户–>下一步–>腹地操办机–>完成–>详情
图片
图片
文凭(腹地操办机)(中间位置双击)–>个东谈主(右键)–>总计任务–>导入–>腹地机操办–>下一步–>浏览–>取舍C:\Windows\SysWOW64\ServerPrivateKey.pfx–>下一步–>输入Private Key Password–>详情–>下一步–>完成–>导入凯旋–>文凭(双击)–>出现带私钥的Server文凭
图片
图片
图片
图片
图片
图片
稽查文凭,纪录指纹信息
图片
添加文凭打听权限
Server文凭(右键)–>总计任务–>料理私钥–>添加–>输入对象称呼来取舍–>NETWORK SERVICE–>查验称呼–>详情–>分拨NETWORK SERVICE读取权限–>详情
图片
图片
图片
在RDP-tcp中加载文凭
通过Windows+R大开初始或在Windows Terminal、Windows PowerShell中大开注册表regedit
添加注册表项旅途:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp 称呼: SSLCertificateSHA1Hash 类型: REG_BINARY 值:文凭指纹值
缔造值为文凭指纹值
图片
考据文凭奏效情况
大开费力桌面重新联贯,凯旋缔造文凭
图片
图片
图片
图片
图片
缔造凯旋
留传问题
因生成文凭时聘任自签名故仍然会保留SSL Certificate Cannot Be Trusted、SSL Self-Signed Certificate问题,若要惩处该问题可在CA中心官方文凭网站央求文凭,也可搜索免费的文凭央求地址,梗概由集团单元里面自建长入CA中心颁发文凭同期在总计成立导入根文凭,现在国密算法正在抓行,若自建长入CA中心淡薄聘任国密体系。
SSL Certificate Signed Using Weak Hashing Algorithm in RDP
SSL Certificate Signed Using Weak Hashing Algorithm
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
OutputThe following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : CN=SSL_Self_Signed_Fallback Signature Algorithm : SHA-1 With RSA Encryption Valid From : Dec 17 19:04:21 2020 GMT Valid To : Dec 17 19:04:21 2050 GMT Raw PEM certificate : -----BEGIN CERTIFICATE----- MIIB + zCCAWSgAwIBAgIQetsANEKCqoZC74W4Z0idJjANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABsAGIAYQBjAGswIBcNMjAxMjE3MTkwNDIxWhgPMjA1MDEyMTcxOTA0MjFaMDsxOTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBsAGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyYE0CntRczYPDMlxdYUiCLICPQDtzC3qgf3EvS4Gy8YISvhtxZ0GFYBfxwulmPRitOzbs6BU8 / BGKCP7dJ4nwbVx6WFDKEdaHJ3j / WrFKL8KJK0nrOP2hyIwbLqke237QT6d4Hu3C4zVmO4rTAcGdvWs1PTWk7zcnnufUs6COL0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAHcHkn6n7hDfsqJcmVylQxNcBKqTbW6tYS + IbQi0Hlpd9hcqyKJ / 3NI1hAZi2 + bhlv + Eg2Wx7X11Rg4kwGCaAqGJx4rABKYx7K + H3Xyq8OUzGMcfedY7h + K / QQlbR + 1Z1tPjsmgWpPX6lhcXB0ba18qfMfyRxhEbq8gm7PEXmeHQ == -----END CERTIFICATE-----
Risk Information
Risk Factor: Medium
CVSS v3.0 Base Score 7.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v3.0 Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 6.7
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.9
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: August 18, 2004
Reference Information
CWE: 310
CERT: 836068
BID: 11849, 33065
CVE: CVE-2004-2761
Software
SQL Server
操作措施
搜索或下载文凭器具
搜索自有makecert.exe和pvk2pfx.exe或下载我的共享资源
生成文凭
将makecert.exe和pvk2pfx.exe拷贝到C:/Windows/System32目次下并在面前目次下启动Windows PowerShellcd C:\Windows\System32
启动makecert生成文凭,指定文凭的签名算法SHA256RSA,公钥长度为RSA(2048 Bits)makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048
输入Private Key Password,为安闲复杂度条件缔造为8位以上数字、字母、特等字符组合
图片
图片
领导信息,凯旋时领导SucceededPS C:\Windows\System32> makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048 Succeeded
启动pvk2pfx字据pvk文凭导出pfx样式文凭,-pi参数后接缔造的Private Key Passwordpvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
领导信息,凯旋时无领导信息PS C:\Windows\System32> pvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
导入文凭
大开料理为止台mmc
图片
文献–>添加/删除料理单元–>可用的料理单元–>文凭–>添加–>操办机账户–>下一步–>腹地操办机–>完成–>详情
图片
图片
文凭(腹地操办机)(中间位置双击)–>个东谈主(右键)–>总计任务–>导入–>腹地机操办–>下一步–>浏览–>取舍C:\Windows\SysWOW64\ServerPrivateKey.pfx–>下一步–>输入Private Key Password–>详情–>下一步–>完成–>导入凯旋–>文凭(双击)–>出现带私钥的Server文凭
图片
图片
图片
图片
图片
图片
稽查文凭,纪录指纹信息
图片
添加文凭打听权限
Server文凭(右键)–>总计任务–>料理私钥–>添加–>输入对象称呼来取舍–>NETWORK SERVICE–>查验称呼–>详情–>分拨数据库用户读取权限–>详情
图片
图片
图片
在MSSQLServer中加载文凭
通过Windows+R大开初始或在Windows Terminal、Windows PowerShell中大开注册表regedit
添加注册表项旅途:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQLServer\SuperSocketNetLib 称呼: Certificate 类型: REG_SZ 值:文凭指纹值
参考文档:
https://www.cnblogs.com/huangzelin/p/3645520.html
https://jingyan.baidu.com/article/3aed632e153e9431108091c9.html
https://blog.csdn.net/a549569635/article/details/48831105
https://blog.csdn.net/kufeiyun/article/details/15337097
https://docs.microsoft.com/zh-cn/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver15小电影网站
本站仅提供存储办事,总计本体均由用户发布,如发现存害或侵权本体,请点击举报。