我收到错误
“检测到SHA-1密码套件”
扫描期间。目前我正在使用Apache2.4并添加了
SSLCipherSuite HIGH:!aNULL:!MD5
在httpd.conf文件中,但似乎无效。
是否有任何解决方案可以防止此错误和其他弱ssl相关问题?
答案 0 :(得分:1)
您可以使用此处提供的工具:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
查找服务器的建议配置。基于Apache 2.4和OpenSSL 1.0.1e,它建议:
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
for" intermediate"兼容性(Firefox 1,Chrome 1,IE 7,Opera 5,Safari 1,Windows XP IE8,Android 2.3,Java 7)或
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
for" modern"兼容性(Windows 7,Edge,Opera 17,Safari 9,Android 5.0和Java 8上的Firefox 27,Chrome 30,IE 11)。
请注意,除SSLCipherSuite之外还有其他设置,这取决于您的OpenSSL版本,因此我建议您使用上述网站为您找到最佳设置。