我们的安全团队要求我们在运行Apache的一些服务器上完全禁用SSLv3。 我已经使用ssl.conf文件中的SSLProtocol条目(如SSLProtocol ALL-SSLv2-SSLv3)和各种SSLCipherSuite条目尝试完全禁用它,但无济于事。 作为nmap的输出示例,我仍然得到以下内容
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-01 16:49 Mountain Standard Time Nmap scan report for ... Host is up (0.0045s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found <---- | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong 例如,在运行Tomcat的服务器上,我们无法获得SSLv3的踪迹
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-01 16:54 Mountain Standard Time Nmap scan report for... Host is up (0.0022s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | compressors: | NULL |_ least strength: strong
有没有人能够在Apache中完全禁用SSLv3? 有没有办法在Apache中完全禁用SSLv3? 谢谢你的时间
你已经禁用了SSLv3,但是nmap在报告中显得有些sl </s>。 我只是testing了我的服务器,看看发生了什么。
用nmap,我得到了同样的消息暗示SSLv3在那里,但没有密码。 但是,如果您尝试以下命令行,并且您看到“SSL警报号码40”(向右滚动!),则SSLv3将完全禁用:
$ openssl s_client -connect www.example.com:443 -ssl3 CONNECTED(00000003) 140159193097888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40 140159193097888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1425297962 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
即使你得到相同的模糊指示“新(NONE),密码是(NONE)”,注意SSL握手是7个字节。 如果你运行一个数据包捕获,你会发现连接就是这样的:
客户端: 客户端Hello(SSLv3)
服务器: 警报(级别:致命,描述:握手失败)
这是一样残疾,你可以得到。
我怀疑nmap是以不同的方式报告Tomcat的,因为Tomcat回来了一套更丰富的协议。 或许Tomcat在SSL3提出时提供了TLS1,而不是拒绝SSL3。 我试图收集一个基于Tomcat的主机来testing,看看底下发生了什么。