我在我的Apache2configuration上更新了我的ssl.conf文件以使用以下SSLCipherSuite
SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!ADH
然而PCI扫描似乎检测到WEAK和MEDIUM密码仍然被启用。
但是,我已经重新启动Apache,但它没有任何效果。
我希望能够探测服务器,看看它允许哪些密码,而不必等到每次进行更改时都要运行PCI扫描。 我怎样才能做到这一点?
个人在这里发布了一个脚本,可以告诉你什么密码套件被网站接受。 应该为你的目的工作。
#!/usr/bin/env bash # OpenSSL requires the port number. SERVER=192.168.1.11:443 DELAY=1 ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g') echo Obtaining cipher list from $(openssl version). for cipher in ${ciphers[@]} do echo -n Testing $cipher... result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1) if [[ "$result" =~ "Cipher is " ]] ; then echo YES else if [[ "$result" =~ ":error:" ]] ; then error=$(echo -n $result | cut -d':' -f6) echo NO \($error\) else echo UNKNOWN RESPONSE echo $result fi fi sleep $DELAY done
您也可以使用Qualys的SSL扫描仪 。 它会告诉你相同的信息。
openssl ciphers cipherspec会告诉你什么openssl将您的密码规范string转换成。 使用ciphers -v查看有关所列密码的详细信息。
因此,对于我的CentOS 6系统上列出的密码string,我得到:
openssl ciphers'HIGH:MEDIUM:!ADH'
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:EDH- RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5- DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-SHA:CAMELLIA128-SHA:PSK-AES128- CBC-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:SEED-SHA:RC2-CBC-MD5:RC4-SHA:RC4,MD5:RC4,MD5:PSK-RC4-SHA:KRB5- RC4-SHA:KRB5-RC4,MD5
和
openssl ciphers -v 'HIGH:MEDIUM:!ADH'
DHE-RSA-AES256-SHA SSLv3 Kx = DH Au = RSA Enc = AES(256)Mac = SHA1 DHE-DSS-AES256-SHA SSLv3 Kx = DH Au = DSS Enc = AES(256)Mac = SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx = DH Au = RSA Enc = Camellia(256)Mac = SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx = DH Au = DSS Enc = Camellia(256)Mac = SHA1 AES256-SHA SSLv3 Kx = RSA Au = RSA Enc = AES(256)Mac = SHA1 CAMELLIA256-SHA SSLv3 Kx = RSA Au = RSA Enc = Camellia(256)Mac = SHA1 PSK-AES256-CBC-SHA SSLv3 Kx = PSK Au = PSK Enc = AES(256)Mac = SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx = DH Au = RSA Enc = 3DES(168)Mac = SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx = DH Au = DSS Enc = 3DES(168)Mac = SHA1 DES-CBC3-SHA SSLv3 Kx = RSA Au = RSA Enc = 3DES(168)Mac = SHA1 DES-CBC3-MD5 SSLv2 Kx = RSA Au = RSA Enc = 3DES(168)Mac = MD5 PSK-3DES-EDE-CBC-SHA SSLv3 Kx = PSK Au = PSK Enc = 3DES(168)Mac = SHA1 KRB5-DES-CBC3-SHA SSLv3 Kx = KRB5 Au = KRB5 Enc = 3DES(168)Mac = SHA1 KRB5-DES-CBC3-MD5 SSLv3 Kx = KRB5 Au = KRB5 Enc = 3DES(168)Mac = MD5 DHE-RSA-AES128-SHA SSLv3 Kx = DH Au = RSA Enc = AES(128)Mac = SHA1 DHE-DSS-AES128-SHA SSLv3 Kx = DH Au = DSS Enc = AES(128)Mac = SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx = DH Au = RSA Enc = Camellia(128)Mac = SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx = DH Au = DSS Enc = Camellia(128)Mac = SHA1 AES128-SHA SSLv3 Kx = RSA Au = RSA Enc = AES(128)Mac = SHA1 CAMELLIA128-SHA SSLv3 Kx = RSA Au = RSA Enc = Camellia(128)Mac = SHA1 PSK-AES128-CBC-SHA SSLv3 Kx = PSK Au = PSK Enc = AES(128)Mac = SHA1 DHE-RSA-SEED-SHA SSLv3 Kx = DH Au = RSA Enc = SEED(128)Mac = SHA1 DHE-DSS-SEED-SHA SSLv3 Kx = DH Au = DSS Enc = SEED(128)Mac = SHA1 SEED-SHA SSLv3 Kx = RSA Au = RSA Enc = SEED(128)Mac = SHA1 RC2-CBC-MD5 SSLv2 Kx = RSA Au = RSA Enc = RC2(128)Mac = MD5 RC4-SHA SSLv3 Kx = RSA Au = RSA Enc = RC4(128)Mac = SHA1 RC4-MD5 SSLv3 Kx = RSA Au = RSA Enc = RC4(128)Mac = MD5 RC4-MD5 SSLv2 Kx = RSA Au = RSA Enc = RC4(128)Mac = MD5 PSK-RC4-SHA SSLv3 Kx = PSK Au = PSK Enc = RC4(128)Mac = SHA1 KRB5-RC4-SHA SSLv3 Kx = KRB5 Au = KRB5 Enc = RC4(128)Mac = SHA1 KRB5-RC4-MD5 SSLv3 Kx = KRB5 Au = KRB5 Enc = RC4(128)Mac = MD5