[GitHub] [incubator-brpc] aericpp commented on issue #968: https开启双向认证后,SSL Renegotiation功能失效

Fri, 15 Nov 2019 00:47:46 -0800 

aericpp commented on issue #968: https开启双向认证后,SSL Renegotiation功能失效
URL: https://github.com/apache/incubator-brpc/issues/968#issuecomment-554268497
 
 
   > > > 由于之前一些SSL版本过低,renegotiation会引发安全问题,所以代码这里把这个关了
   > > > 
https://github.com/apache/incubator-brpc/blob/6efb0cff5f30f32437c660cef01c93549cf62679/src/brpc/details/ssl_helper.cpp#L140
   > > > 
   > > > 你看下你的log中,是否有上面日志里的这句话
   > > > Close xxx due to insecure renegotiation detected (CVE-2009-3555)
   > > 
   > > 
   > > 另外,这个关闭功能是针对openssl低版本吗?版本号条件有么?
   > 
   > 没,当时看最新的发布版还未修复,你这边openssl版本号是多少?我去复现下
   
   目前这个版本是有点低,1.0.0 稳定复现:
   ~/Documents/offline/incubator-brpc/example/http_c++$ ldd http_server
           linux-vdso.so.1 =>  (0x00007ffe38bf7000)
           libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007f2a53c84000)
           libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 
(0x00007f2a53a1b000)
           libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 
(0x00007f2a535d6000)
           libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2a533d2000)
           libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f2a531b8000)
           librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f2a52fb0000)
           libleveldb.so.1 => /usr/lib/x86_64-linux-gnu/libleveldb.so.1 
(0x00007f2a52d56000)
           libtcmalloc_and_profiler.so.4 => 
/usr/lib/libtcmalloc_and_profiler.so.4 (0x00007f2a52ae1000)
           libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 
(0x00007f2a5275f000)
           libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2a52456000)
           libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 
(0x00007f2a52240000)
           libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2a51e76000)
           /lib64/ld-linux-x86-64.so.2 (0x00007f2a53ea1000)
           libsnappy.so.1 => /usr/lib/x86_64-linux-gnu/libsnappy.so.1 
(0x00007f2a51c6e000)
           libunwind.so.8 => /usr/lib/x86_64-linux-gnu/libunwind.so.8 
(0x00007f2a51a53000)
           liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 
(0x00007f2a51831000)
   
   我也去试一下高版本的openssl

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to