From 9f183c1f6aaf3acfc979dbf019ae8753b6fc6b0e Mon Sep 17 00:00:00 2001
From: Joe <zhaojiejoe@163.com>
Date: Wed, 15 May 2024 17:44:46 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20SSL/TLS=E5=8D=8F=E8=AE=AE=E4=BF=A1?=
 =?UTF-8?q?=E6=81=AF=E6=B3=84=E9=9C=B2=E6=BC=8F=E6=B4=9E(CVE-2016-2183)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nmap -p 3408 --script ssl-enum-ciphers 127.0.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-15 17:22 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).

PORT     STATE SERVICE
3408/tcp open  BESApi
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C
---
 utils/functions.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/utils/functions.go b/utils/functions.go
index d98363c4..3770e423 100755
--- a/utils/functions.go
+++ b/utils/functions.go
@@ -162,6 +162,17 @@ func ListenTls(ip string, port int, certBytes, keyBytes []byte) (ln *net.Listene
 		ServerName:   "proxy",
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
+                CipherSuites: []uint16{
+                    tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+                    tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+                    tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+                    tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+                    tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                    tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+                    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+                    tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+                    tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+                    },
 	}
 	_ln, err := tls.Listen("tcp", fmt.Sprintf("%s:%d", ip, port), config)
 	if err == nil {