服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法在Amazon Linux Instance上禁用SSLv3
Intereting Posts
Php.ini禁用“扫描该目录的附加.ini文件”? Windows Web服务器应该是Active Directory域的成员 X:\不可访问。 系统资源不足以完成请求的服务。 帮帮我 Galera上不同的InnoDB数据文件大小 错误118(net :: ERR_CONNECTION_TIMED_OUT):操作超时 LVM问题:由于M被分配,无法调整到N个扩展盘区 使用pam_mount模块挂载NFS共享 Windows Server 2003远程桌面login缓慢 简单的ACL不工作 NAT如何跟踪连接 存储过程需要更多时间来执行(Sql Server 2005) 优化Facebook应用程序…我应该从哪里开始? 可能根据login用户全局更改chmod权限? 在Mongo日志中的SocketException 有没有办法转发基于子域的端口?

无法在Amazon Linux Instance上禁用SSLv3

我正在使用由Go Daddy发布的SSL证书。 在我的Linux实例以下是软件的详细信息:

  • Apache版本 – Apache / 2.4.16(亚马逊)
  • OpenSSL版本 – OpenSSL 1.0.1k-fips 2015年1月8日
  • mod_ssl版本 – mod_ssl-2.4.2

注意: – 我从RPM软件包安装了Apache,后来我从rpm软件包安装了mod_ssl和openssl

1)问题是,当我禁用SSLv3和testingSSL服务器从https://www.ssllabs.com/ssltest/它给我警告“这个服务器不支持TLSv1.2是最好的” ,当我启用TLSv1 .2协议相同的testing警告我有关“此服务器支持SSLv3协议,易受Poodle攻击”如何禁用SSLv3并在服务器上同时启用TLSv1.2? 我的有关SSL的Vhost文件的当前configuration是: 

SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on

2)我不能创build一个强大的Diffie-Hellman组。 当前是1024位的Diffie-Hellman组,并且希望为该站点创build2048位组。 我发出这个命令来生成2048位密钥: 

 openssl dhparam -out dhparams.pem 2048

而我在VHost的configuration是: 

 SSLOpenSSLConfCmd DHParameters /etc/httpd/dhparams.pem

当我重新启动服务器错误消息popup: 

 Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

如何解决这个问题?

输出命令openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg启用S​​SLv3时: – 

 CONNECTED(00000003) >>> ??? [length 0005] >>> TLS 1.2 Handshake [length 0138], ClientHello <<< ??? [length 0005] <<< TLS 1.2 Handshake [length 003a], ServerHello <<< ??? [length 0005] <<< TLS 1.2 Handshake [length 12a7], Certificate depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain <<< ??? [length 0005] <<< TLS 1.2 Handshake [length 020f], ServerKeyExchange <<< ??? [length 0005] <<< TLS 1.2 Handshake [length 0004], ServerHelloDone >>> ??? [length 0005] >>> TLS 1.2 Handshake [length 0086], ClientKeyExchange >>> ??? [length 0005] >>> TLS 1.2 ChangeCipherSpec [length 0001] >>> ??? [length 0005] >>> TLS 1.2 Handshake [length 0010], Finished <<< ??? [length 0005] <<< TLS 1.2 Handshake [length 00ca]??? <<< ??? [length 0005] <<< TLS 1.2 ChangeCipherSpec [length 0001] <<< ??? [length 0005] <<< TLS 1.2 Handshake [length 0010], Finished

输出命令openssl s_client -connect 127.0.0.1:443 -ssl3 -msg与SSLv3禁用: – 

 >>> ??? [length 0005] >>> SSL 3.0 Handshake [length 0099], ClientHello <<< ??? [length 0005] <<< SSL 3.0 Alert [length 0002], fatal handshake_failure

输出命令openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg当SSLv3被禁用时: – 

 CONNECTED(00000003) >>> ??? [length 0005] >>> TLS 1.2 Handshake [length 0138], ClientHello <<< ??? [length 0005] >>> ??? [length 0005] >>> TLS 1.0 Alert [length 0002], fatal protocol_version

SSLdebugging错误在Apache中input以下命令openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg当SSLv3被禁用时: – 

 [Tue Nov 24 07:50:13.019993 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH01964: Connection to child 2 established (server site1.example.com:443) [Tue Nov 24 07:50:13.023693 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH02008: SSL library error 1 in handshake (server site1.example.com:443) [Tue Nov 24 07:50:13.023752 2015] [ssl:info] [pid 6419] SSL Library Error: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version (SSL alert number 70) [Tue Nov 24 07:50:13.023789 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH01998: Connection closed to child 2 with abortive shutdown (server site1.example.com:443)

这是获得最安全的兼容性https的configuration,在ssllabs(requier openssl uptodate)上进行testing: 

 #=========================# # [ HTTPS CONFIGURATION ] # #=========================# SSLEngine on SSLOptions +StrictRequire SSLProxyEngine on # Prevent Beast attack SSLHonorCipherOrder on # SSL Compression (CRIME attack) SSLCompression off # HSTS Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # PROTOCOL SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 # KEY SSLCertificateFile /opt/web/ssl/xx.crt SSLCertificateKeyFile /opt/web/ssl/xxx.key SSLCertificateChainFile /opt/web/ssl/xxx.pem # Deny HTTP request when SSL is used <Directory /> SSLRequireSSL </Directory> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl

使用Mozillaconfiguration生成器( https://mozilla.github.io/server-side-tls/ssl-config-generator/ )为您的configuration文件生成一个模板。 一定要在给定的字段中input你确切的Apache和OpenSSL版本,并select“现代”设置来利用最安全的协议。

这就是说,你的第二个问题与“SSLOpenSSLConfCmd”是与您正在使用的OpenSSL的版本有关。 要使用这个命令,你将需要Apache> 2.4.8和OpenSSL> 1.0.2。 所以,升级你的OpenSSL。

至于有关TLSv1.2和SSLv3的第一个问题,那就是你已经启用的SSLCipherSuite列表。 使用OpenSSL来validation哪些套件适用于哪些协议,并从列表中删除较弱的套件(或使用上述configuration生成器)。 例如: 

 openssl ciphers -s -v 'ECDHE+RSA+AES128+GCM+SHA256 ECDHE+ECDSA+AES128+GCM+SHA256 ECDHE+RSA+AES256+GCM+SHA384 ECDHE+ECDSA+AES256+GCM+SHA384 DHE+RSA+AES128+GCM+SHA256 DHE+DSS+AES128+GCM+SHA256 kEDH+AESGCM ECDHE+RSA+AES128+SHA256 ECDHE+ECDSA+AES128+SHA256 ECDHE+RSA+AES128+SHA ECDHE+ECDSA+AES128+SHA ECDHE+RSA+AES256+SHA384 ECDHE+ECDSA+AES256+SHA384 ECDHE+RSA+AES256+SHA ECDHE+ECDSA+AES256+SHA DHE+RSA+AES128+SHA256 DHE+RSA+AES128+SHA DHE+DSS+AES128+SHA256 DHE+RSA+AES256+SHA256 DHE+DSS+AES256+SHA DHE+RSA+AES256+SHA AES128+GCM+SHA256 AES256+GCM+SHA384 AES128+SHA256 AES256+SHA256 AES128+SHA AES256+SHA AES CAMELLIA DES+CBC3+SHA !aNULL !eNULL !EXPORT !DES !RC4 !MD5 !PSK !aECDH !EDH+DSS+DES+CBC3+SHA !EDH+RSA+DES+CBC3+SHA !KRB5+DES+CBC3+SHA'

其结果如下: 

  DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1

删除SSLv3密码来纠正这个问题。