修复 CVE-2016-2183

2022-04-07 15:11:14 +08:00 · 2022-04-07 15:11:14 +08:00 · 2b580067a2
parent 500a11612c
commit 2b580067a2
3 changed files with 41 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -30,16 +30,6 @@ AnyLink 服务端仅在 CentOS 7、Ubuntu 18.04 测试通过，如需要安装

 ![online](doc/screenshot/online.jpg)

-## Donate
-
-> 如果您觉得 anylink 对你有帮助，欢迎给我们打赏，也是帮助 anylink 更好的发展。
->
-> [查看打赏列表](doc/README.md)
-
-<p>
-    <img src="doc/screenshot/wxpay2.png" width="400" />
-</p>
-
 ## Installation

 > 没有编程基础的同学建议直接下载 release 包，从下面的地址下载 anylink-deploy.tar.gz
@ -250,14 +240,15 @@ sh bridge-init.sh
 5. 启动容器

   ```bash
+   # -e IPV4_CIDR=192.168.10.0/24 这个参数要与配置文件内的网段一致
   docker run -itd --name anylink --privileged \
+       -e IPV4_CIDR=192.168.10.0/24
       -p 443:443 -p 8800:8800 \
       --restart=always \
       bjdgyc/anylink
   ```

 6. 使用自定义参数启动容器
-
   ```bash
   # 参数可以参考 -h 命令
   docker run -itd --name anylink --privileged \
@ -277,6 +268,16 @@ sh bridge-init.sh
   docker build -t anylink .
   ```

+## Donate
+
+> 如果您觉得 anylink 对你有帮助，欢迎给我们打赏，也是帮助 anylink 更好的发展。
+>
+> [查看打赏列表](doc/README.md)
+
+<p>
+    <img src="doc/screenshot/wxpay2.png" width="400" />
+</p>
+
 ## 常见问题

 请前往 [问题地址](doc/question.md) 查看具体信息
--- a/server/admin/server.go
+++ b/server/admin/server.go
@ -2,6 +2,7 @@
 package admin

 import (
+	"crypto/tls"
 	"embed"
 	"net/http"
 	"net/http/pprof"
@ -69,7 +70,25 @@ func StartAdmin() {
 	}

 	base.Info("Listen admin", base.Cfg.AdminAddr)
-	err := http.ListenAndServeTLS(base.Cfg.AdminAddr, base.Cfg.CertFile, base.Cfg.CertKey, r)
+
+	// 修复 CVE-2016-2183
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
+	}
+	// 设置tls信息
+	tlsConfig := &tls.Config{
+		NextProtos:   []string{"http/1.1"},
+		MinVersion:   tls.VersionTLS12,
+		CipherSuites: selectedCipherSuites,
+	}
+	srv := &http.Server{
+		Addr:      base.Cfg.AdminAddr,
+		Handler:   r,
+		TLSConfig: tlsConfig,
+	}
+	err := srv.ListenAndServeTLS(base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil {
 		base.Fatal(err)
 	}
--- a/server/handler/server.go
+++ b/server/handler/server.go
@ -19,11 +19,8 @@ func startTls() {
 	var (
 		err error

-		addr     = base.Cfg.ServerAddr
-		certFile = base.Cfg.CertFile
-		keyFile  = base.Cfg.CertKey
-		certs    = make([]tls.Certificate, 1)
-		ln       net.Listener
+		addr = base.Cfg.ServerAddr
+		ln   net.Listener
 	)

 	// 判断证书文件
@ -36,16 +33,18 @@ func startTls() {
 	//	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
 	// }

-	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		panic(err)
+	// 修复 CVE-2016-2183
+	cipherSuites := tls.CipherSuites()
+	selectedCipherSuites := make([]uint16, 0, len(cipherSuites))
+	for _, s := range cipherSuites {
+		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}

 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
 		MinVersion:   tls.VersionTLS12,
-		Certificates: certs,
+		CipherSuites: selectedCipherSuites,
 		// InsecureSkipVerify: true,
 	}
 	srv := &http.Server{
@ -66,7 +65,7 @@ func startTls() {
 	}

 	base.Info("listen server", addr)
-	err = srv.ServeTLS(ln, "", "")
+	err = srv.ServeTLS(ln, base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil {
 		base.Fatal(err)
 	}