我通过" SSLProtocol All -SSLv2 -SSLv3"应用了针对apache的POODLE修复程序。在我们的apache服务器的ssl.conf文件中,但是通过" SSLVerifyClient需要"来解决CAC客户端身份验证问题。我已确认是否设置了" SSLVerifyClient none"我们的Web应用程序可以通过https访问并使用正确的TLSv1协议,但是一旦我设置了" SSLVerifyClient需要" (这是因为我们的Web应用程序启用了CAC而需要)我得到一个页面无法在IE中显示(IE已禁用SSLv2和SSLv3)。我认为它是在SSLVerifyClient阶段重新协商SSLv3 ..任何人都知道如何解决这个问题在Oracle HTTP Server(OHS)Apache 2.2.13 ??
以下是我的ssl.conf文件的片段:
###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf #
###################################################################
# OHS Listen Port
Listen 443
<IfModule ossl_module>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
<IfModule mpm_winnt_module>
SSLMutex "none"
</IfModule>
<IfModule !mpm_winnt_module>
SSLMutex pthread
</IfModule>
##
## SSL Virtual Host Context
##
<VirtualHost *:443>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
DirectoryIndex remagnum.html
ServerName TTSDS09083.TIMPO.OSD.MIL
# ServerAlias www.dummy-host.example.com
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
#SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA
SSLProtocol All -SSLv2 -SSLv3
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require.
#SSLVerifyClient none
SSLVerifyClient require
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off
#Path to the wallet
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>
<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
答案 0 :(得分:1)
您是否尝试删除不推荐使用的浏览器的BrowserMatch?
#BrowserMatch ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
来自httpd.conf
#BrowserMatch "Mozilla/2" nokeepalive
#BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0