SSL Certificate Signed Using Weak Hashing Algorithm物联网软件开发价格
操作系统版块:Windows Server 2012 R2
序言:惩处SSL Certificate Signed Using Weak Hashing Algorithm经过中生成文凭时承袭自签名故仍然会保留SSL Certificate Cannot Be Trusted、SSL Self-Signed Certificate问题,惩处SSL Certificate Cannot Be Trusted、SSL Self-Signed Certificate可央求官方机构颁布文凭
SSL Certificate Signed Using Weak Hashing Algorithm
SSL Certificate Signed Using Weak Hashing Algorithm
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
OutputThe following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : CN=SSL_Self_Signed_Fallback Signature Algorithm : SHA-1 With RSA Encryption Valid From : Dec 17 19:04:21 2020 GMT Valid To : Dec 17 19:04:21 2050 GMT Raw PEM certificate : -----BEGIN CERTIFICATE----- MIIB + zCCAWSgAwIBAgIQetsANEKCqoZC74W4Z0idJjANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABsAGIAYQBjAGswIBcNMjAxMjE3MTkwNDIxWhgPMjA1MDEyMTcxOTA0MjFaMDsxOTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBsAGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyYE0CntRczYPDMlxdYUiCLICPQDtzC3qgf3EvS4Gy8YISvhtxZ0GFYBfxwulmPRitOzbs6BU8 / BGKCP7dJ4nwbVx6WFDKEdaHJ3j / WrFKL8KJK0nrOP2hyIwbLqke237QT6d4Hu3C4zVmO4rTAcGdvWs1PTWk7zcnnufUs6COL0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAHcHkn6n7hDfsqJcmVylQxNcBKqTbW6tYS + IbQi0Hlpd9hcqyKJ / 3NI1hAZi2 + bhlv + Eg2Wx7X11Rg4kwGCaAqGJx4rABKYx7K + H3Xyq8OUzGMcfedY7h + K / QQlbR + 1Z1tPjsmgWpPX6lhcXB0ba18qfMfyRxhEbq8gm7PEXmeHQ == -----END CERTIFICATE-----
Risk Information
Risk Factor: Medium
CVSS v3.0 Base Score 7.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v3.0 Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 6.7
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.9
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: August 18, 2004
小程序开发Reference Information
CWE: 310
CERT: 836068
BID: 11849, 33065
CVE: CVE-2004-2761
泄露证据
SSL Certificate Signed Using Weak Hashing Algorithm是因SSL文凭中使用的签名算法不合适IETF条目,需要再行生成SSL文凭且SSL文凭中的签名算法、密钥长度均要注意合适当前的IETF条目,同期字据其受影响软件情况更换受影响软件的SSL文凭。
SSL Certificate Signed Using Weak Hashing Algorithm in RDP
SSL Certificate Signed Using Weak Hashing Algorithm
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
OutputThe following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : CN=SSL_Self_Signed_Fallback Signature Algorithm : SHA-1 With RSA Encryption Valid From : Dec 17 19:04:21 2020 GMT Valid To : Dec 17 19:04:21 2050 GMT Raw PEM certificate : -----BEGIN CERTIFICATE----- MIIB + zCCAWSgAwIBAgIQetsANEKCqoZC74W4Z0idJjANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABsAGIAYQBjAGswIBcNMjAxMjE3MTkwNDIxWhgPMjA1MDEyMTcxOTA0MjFaMDsxOTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBsAGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyYE0CntRczYPDMlxdYUiCLICPQDtzC3qgf3EvS4Gy8YISvhtxZ0GFYBfxwulmPRitOzbs6BU8 / BGKCP7dJ4nwbVx6WFDKEdaHJ3j / WrFKL8KJK0nrOP2hyIwbLqke237QT6d4Hu3C4zVmO4rTAcGdvWs1PTWk7zcnnufUs6COL0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAHcHkn6n7hDfsqJcmVylQxNcBKqTbW6tYS + IbQi0Hlpd9hcqyKJ / 3NI1hAZi2 + bhlv + Eg2Wx7X11Rg4kwGCaAqGJx4rABKYx7K + H3Xyq8OUzGMcfedY7h + K / QQlbR + 1Z1tPjsmgWpPX6lhcXB0ba18qfMfyRxhEbq8gm7PEXmeHQ == -----END CERTIFICATE-----
Risk Information
Risk Factor: Medium
CVSS v3.0 Base Score 7.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v3.0 Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 6.7
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.9
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: August 18, 2004
Reference Information
CWE: 310
CERT: 836068
BID: 11849, 33065
CVE: CVE-2004-2761
Software
RDP
操作门径
考据存在SSL Certificate Signed Using Weak Hashing Algorithm
开启而已桌面检察而已桌面文凭,看到文凭的签名算法是SHA1RSA,公钥长度为RSA(2048 Bits)
图片
图片
图片
图片
图片
通过测试RDP探访经过考据RDP SSL文凭签名算法为SHA1RSA、签名哈希算法为SHA1
搜索或下载文凭用具
搜索自有makecert.exe和pvk2pfx.exe或下载我的共享资源
生成文凭
将makecert.exe和pvk2pfx.exe拷贝到C:/Windows/System32目次下并在面前目次下启动Windows PowerShellcd C:\Windows\System32
启动makecert生成文凭,指定文凭的签名算法SHA256RSA,公钥长度为RSA(2048 Bits)makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048
输入Private Key Password,为知足复杂度条目配置为8位以上数字、字母、异常字符组合
图片
图片
教唆信息,顺利时教唆SucceededPS C:\Windows\System32> makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048 Succeeded
启动pvk2pfx字据pvk文凭导出pfx体式文凭,-pi参数后接配置的Private Key Passwordpvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
教唆信息,顺利时无教唆信息PS C:\Windows\System32> pvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
导入文凭
掀开经管规则台mmc
图片
文献–>添加/删除经管单元–>可用的经管单元–>文凭–>添加–>计较机账户–>下一步–>土产货计较机–>完成–>详情
图片
图片
文凭(土产货计较机)(中间位置双击)–>个东说念主(右键)–>通盘任务–>导入–>土产货机计较–>下一步–>浏览–>选择C:\Windows\SysWOW64\ServerPrivateKey.pfx–>下一步–>输入Private Key Password–>详情–>下一步–>完成–>导入顺利–>文凭(双击)–>出现带私钥的Server文凭
图片
图片
图片
图片
图片
图片
检察文凭,纪录指纹信息
图片
添加文凭探访权限
Server文凭(右键)–>通盘任务–>经管私钥–>添加–>输入对象称号来选择–>NETWORK SERVICE–>检查称号–>详情–>分派NETWORK SERVICE读取权限–>详情
首号球:上期奖号为2,开出小 号、偶号,该位前10次开出小 号、偶号的现象时其奖号分别为:426、205、211、430、425、006、479、031、070、400,其中首号球012路比为3:5:2。
财叔双色球:上期中一等奖861万,小单中4+1,076期中5+1,联系我们近期财叔中双色球大乐透一二等奖共获1575万元!上期财叔红胆06、14+偶数蓝球助攻一举拿下一等奖861万元[查看今日推荐]
图片
图片
图片
在RDP-tcp中加载文凭
通过Windows+R掀开启动或在Windows Terminal、Windows PowerShell中掀开注册表regedit
添加注册表项旅途:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp 称号: SSLCertificateSHA1Hash 类型: REG_BINARY 值:文凭指纹值
配置值为文凭指纹值
图片
考据文凭奏效情况
掀开而已桌面再行贯穿,顺利配置文凭
图片
图片
图片
图片
图片
配置顺利
留传问题
因生成文凭时承袭自签名故仍然会保留SSL Certificate Cannot Be Trusted、SSL Self-Signed Certificate问题,若要惩处该问题可在CA中心官方文凭网站央求文凭,也可搜索免费的文凭央求地址,大概由集团单元里面自建结伙CA中心颁发文凭同期在通盘诞生导入根文凭,当今国密算法正在扩充,若自建结伙CA中心提出承袭国密体系。
SSL Certificate Signed Using Weak Hashing Algorithm in RDP
SSL Certificate Signed Using Weak Hashing Algorithm
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the SSL certificate reissued.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
OutputThe following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : CN=SSL_Self_Signed_Fallback Signature Algorithm : SHA-1 With RSA Encryption Valid From : Dec 17 19:04:21 2020 GMT Valid To : Dec 17 19:04:21 2050 GMT Raw PEM certificate : -----BEGIN CERTIFICATE----- MIIB + zCCAWSgAwIBAgIQetsANEKCqoZC74W4Z0idJjANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEAbABsAGIAYQBjAGswIBcNMjAxMjE3MTkwNDIxWhgPMjA1MDEyMTcxOTA0MjFaMDsxOTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBsAGwAYgBhAGMAazCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyYE0CntRczYPDMlxdYUiCLICPQDtzC3qgf3EvS4Gy8YISvhtxZ0GFYBfxwulmPRitOzbs6BU8 / BGKCP7dJ4nwbVx6WFDKEdaHJ3j / WrFKL8KJK0nrOP2hyIwbLqke237QT6d4Hu3C4zVmO4rTAcGdvWs1PTWk7zcnnufUs6COL0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAHcHkn6n7hDfsqJcmVylQxNcBKqTbW6tYS + IbQi0Hlpd9hcqyKJ / 3NI1hAZi2 + bhlv + Eg2Wx7X11Rg4kwGCaAqGJx4rABKYx7K + H3Xyq8OUzGMcfedY7h + K / QQlbR + 1Z1tPjsmgWpPX6lhcXB0ba18qfMfyRxhEbq8gm7PEXmeHQ == -----END CERTIFICATE-----
Risk Information
Risk Factor: Medium
CVSS v3.0 Base Score 7.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v3.0 Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v3.0 Temporal Score: 6.7
CVSS v2.0 Base Score: 5.0
CVSS v2.0 Temporal Score: 3.9
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS v2.0 Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
Vulnerability Information
CPE: cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Pub Date: August 18, 2004
Reference Information
CWE: 310
CERT: 836068
BID: 11849, 33065
CVE: CVE-2004-2761
Software
SQL Server
操作门径
搜索或下载文凭用具
搜索自有makecert.exe和pvk2pfx.exe或下载我的共享资源
生成文凭
将makecert.exe和pvk2pfx.exe拷贝到C:/Windows/System32目次下并在面前目次下启动Windows PowerShellcd C:\Windows\System32
启动makecert生成文凭,指定文凭的签名算法SHA256RSA,公钥长度为RSA(2048 Bits)makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048
输入Private Key Password,为知足复杂度条目配置为8位以上数字、字母、异常字符组合
图片
图片
教唆信息,顺利时教唆SucceededPS C:\Windows\System32> makecert -r -pe -n "CN=Server" -b 01/01/2015 -e 01/01/2055 -sky exchange -sv ServerPublicKey.pvk ServerPublicKey.cer -a sha256 -len 2048 Succeeded
启动pvk2pfx字据pvk文凭导出pfx体式文凭,-pi参数后接配置的Private Key Passwordpvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
教唆信息,顺利时无教唆信息PS C:\Windows\System32> pvk2pfx -pvk ServerPublicKey.pvk -spc ServerPublicKey.cer -pfx ServerPrivateKey.pfx -pi password
导入文凭
掀开经管规则台mmc
图片
文献–>添加/删除经管单元–>可用的经管单元–>文凭–>添加–>计较机账户–>下一步–>土产货计较机–>完成–>详情
图片
图片
文凭(土产货计较机)(中间位置双击)–>个东说念主(右键)–>通盘任务–>导入–>土产货机计较–>下一步–>浏览–>选择C:\Windows\SysWOW64\ServerPrivateKey.pfx–>下一步–>输入Private Key Password–>详情–>下一步–>完成–>导入顺利–>文凭(双击)–>出现带私钥的Server文凭
图片
图片
图片
图片
图片
图片
检察文凭,纪录指纹信息
图片
添加文凭探访权限
Server文凭(右键)–>通盘任务–>经管私钥–>添加–>输入对象称号来选择–>NETWORK SERVICE–>检查称号–>详情–>分派数据库用户读取权限–>详情
图片
图片
图片
在MSSQLServer中加载文凭
通过Windows+R掀开启动或在Windows Terminal、Windows PowerShell中掀开注册表regedit
添加注册表项旅途:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQLServer\SuperSocketNetLib 称号: Certificate 类型: REG_SZ 值:文凭指纹值
参考文档:
https://www.cnblogs.com/huangzelin/p/3645520.html
https://jingyan.baidu.com/article/3aed632e153e9431108091c9.html
https://blog.csdn.net/a549569635/article/details/48831105
https://blog.csdn.net/kufeiyun/article/details/15337097
https://docs.microsoft.com/zh-cn/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?redirectedfrom=MSDN&view=sql-server-ver15物联网软件开发价格
本站仅提供存储做事,通盘本质均由用户发布,如发现存害或侵权本质,请点击举报。