服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 如何制作使用TLS的自签名SSL证书?
Intereting Posts
Cisco ASA 5505和Juniper ssg5之间的ipsec问题 OpenWRT路由器作为与DNS的交换机 AD查询来查看用户最近login了哪些PC Gnomeregistry(〜/ .gconf)和版本控制 笔记本电脑硬盘介绍 我怎样才能configurationopenvpn代理stream量只有绑定到tun接口的进程? 以非root用户身份运行进程时的安全性最佳实践 俘虏门户网站与没有DNS的辣椒 没有明确许可的远程访问:方便还是责任? Ubuntu服务器每天失败 关于大单文件(虚拟磁盘)和RAID硬盘的信息 在CloudFormation模板中为EC2实例指定VPC 电子邮件在服务器上延迟几个小时 用于光纤链路的PPP还是以太网? Apache的URL问题

如何制作使用TLS的自签名SSL证书?

将Apache和PHP升级到Ubuntu 12.01 LTS上的最新版本之后,其上的SSL站点变得无法访问,指出错误“ssl_error_no_cypher_overlap”。

我尝试使用openssl req -x509 -nodes -days 1826 -newkey rsa:2048 -keyout apache_x509_RSA-2048_days-1826_013115.key -out apache_x509_RSA-2048_days-1826_013115.crt生成新的自签名SSL证书openssl req -x509 -nodes -days 1826 -newkey rsa:2048 -keyout apache_x509_RSA-2048_days-1826_013115.key -out apache_x509_RSA-2048_days-1826_013115.crt

但是当我运行: /etc/ssl/our_certs# sslscan --no-failed mydomain.com

我懂了: 

  _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server mydomain.com on port 443 Supported Server Cipher(s): Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 256 bits CAMELLIA256-SHA Accepted SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 128 bits ECDHE-RSA-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 128 bits CAMELLIA128-SHA Prefered Server Cipher(s): SSLv3 256 bits ECDHE-RSA-AES256-SHA SSL Certificate: Version: 2 Serial Number: -17181615592741643472 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=PH/ST=NCR/L=Manila/O=Our_Company/CN=mydomain.com/[email protected] Not valid before: Sep 5 00:40:40 2013 GMT Not valid after: Sep 3 00:40:40 2023 GMT Subject: /C=PH/ST=NCR/L=Manila/O=Our_Company/CN=mydomain.com/[email protected] Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Public-Key: (2048 bit) Modulus: 00:df:c2:a9:69:9b:df:09:25:b9:6d:15:d2:2e:3c: d2:bf:48:40:97:7f:c9:d5:9b:d0:0c:13:0d:26:67: 98:3e:be:fe:0a:fd:e7:da:24:90:7c:f4:51:de:6e: a0:98:2a:e1:23:fb:cc:0c:ab:1d:53:6a:f5:d6:f9: 51:b4:d5:f4:f3:1b:9c:25:fa:39:83:f4:3c:3b:f4: c1:50:5f:b0:8d:8e:13:53:fb:05:be:4d:5c:b9:98: a8:58:15:76:5a:18:b9:fb:88:a8:ec:a1:c4:4e:83: d6:7d:9a:ce:1f:91:68:31:ae:fa:64:90:8a:e0:77: 51:ad:ba:46:98:d8:c1:c6:1c:3d:93:c3:5f:c2:28: 8a:0d:6f:05:58:15:d8:df:81:05:20:de:18:cf:98: 8c:12:42:27:b4:40:5e:fb:b5:98:94:d0:d2:ae:41: a5:b5:a2:60:39:9f:f7:56:a0:e8:fb:6c:2c:64:d7: 82:11:96:9f:f0:27:e1:6b:7d:fd:2c:0d:be:82:ee: df:39:ff:8f:f2:db:cf:0b:01:c3:31:93:a5:35:83: 2c:4f:b2:a8:4b:66:4e:66:79:79:01:91:ef:d0:bb: 75:6c:e3:ca:95:e2:b8:fe:3c:81:21:7b:58:49:7e: 21:a5:12:1f:eb:8a:40:c6:4d:80:78:0f:4e:0a:3b: a2:2d Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Subject Key Identifier: B3:66:DF:F6:36:5C:F6:B0:A5:AF:D0:09:80:0A:88:58:04:B4:C6:04 X509v3 Authority Key Identifier: keyid:B3:66:DF:F6:36:5C:F6:B0:A5:AF:D0:09:80:0A:88:58:04:B4:C6:04 X509v3 Basic Constraints: CA:TRUE Verify Certificate: self signed certificate

如果我理解正确的SSL 2和3现在被认为是不安全的,我需要使用TLSv1,v1.1或v1.2?

我需要知道的是如何生成使用这些TLS版本的证书以及其他任何应该接受的证书?

我也许应该提到证书要在多个域中使用。 谢谢。

附加信息:

openssl版本-a 

 OpenSSL 1.0.1 14 Mar 2012 built on: Fri Jan 9 17:52:49 UTC 2015 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl"

apache2 -v 

 Server version: Apache/2.4.10 (Ubuntu) Server built: Jul 22 2014 22:57:50

php -v 

 PHP 5.5.21-1+deb.sury.org~precise+2 (cli) (built: Jan 26 2015 20:02:42) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2014, by Zend Technologies

uname -a 

 Linux s2.mydomain.com 3.13.0-34-generic #60~precise1-Ubuntu SMP Wed Aug 13 15:55:33 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

证书不确定连接是使用TLS还是SSL; 这完全取决于Web服务器(在这种情况下,Apache)的configuration。

您需要查看的configuration选项是SSLProtocol,可能使用:

SSLProtocol all -SSLv2 -SSLv3

如果要禁用SSL协议,请保留TLS的所有版本。

除了前面提到的SSLProtocol指令外,pipe理SSL / TLS协议的版本将在新连接中被接受,第二个指令用于configuration客户端被允许在SSL / TLS握手协商的密码套件相。

这是SSLCipherSuite指令。 理论上可以允许TLS协议,但是排除实际包含在TLS规范中的所有encryption密钥:)。 一个合理的configuration是: 

 SSLCipherSuite ALL:!ADH:!EXPORT:RC4+RSA:+HIGH:-MEDIUM:-LOW

稍微“更好”的select是给予提供前向保密的encryptionCypers优先级,例如: 

 SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ALL:!ADH:!EXPORT:RC4+RSA:+HIGH:-MEDIUM:-LOW

一般来说,虽然apache理论上主要使用httpd.confconfiguration文件进行configuration,但该configuration文件可以包含来自其他文件的模块部分。 (即conf.d/*.conf文件和Ubuntu特定的sites-enabled/*.conf )订单很重要! 当一些指令多次出现时,往往只有最后一次出现被应用。 所以检查所有包括!