无法在Amazon Linux实例上禁用SSLv3

时间:2015-11-23 09:39:06

标签: linux apache ssl openssl ssl-certificate

我正在使用Go Daddy发行的SSL证书。 在我的Linux实例上,以下是软件详细信息: -

  • Apache版本 - Apache / 2.4.16(亚马逊)
  • Openssl版本 - OpenSSL 1.0.1k-fips 2015年1月8日
  • mod_ssl版本 - mod_ssl-2.4.2

注意: - 我从RPM Package安装Apache,之后我从rpm包安装mod_ssl和openssl。

1)问题是当我从https://www.ssllabs.com/ssltest/禁用SSLv3并测试SSL服务器时,它会警告“此服务器不支持当前最佳的TLSv1.2”我启用TLSv1.2协议相同的测试警告我“此服务器支持SSLv3协议并且容易受到Poodle攻击” 如何在服务器上同时禁用SSLv3并启用TLSv1.2? 我关于SSL的Vhost文件的当前配置是:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on

2)我不能创建一个强大的Diffie-Hellman组。当前是1024位Diffie-Hellman组,并希望为站点创建2048位组。 我发出此命令以生成2048位密钥: - 

openssl dhparam -out dhparams.pem 2048

我在VHost中的配置是:

SSLOpenSSLConfCmd DHParameters /etc/httpd/dhparams.pem

当我重新启动服务器错误消息时弹出:

Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration

如何解决此问题?

启用SSLv3时输出命令openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg: - 

CONNECTED(00000003)
>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0138], ClientHello

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 003a], ServerHello

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 12a7], Certificate

depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2     
Certification Authority
verify error:num=19:self signed certificate in certificate chain
<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 020f], ServerKeyExchange

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 0004], ServerHelloDone

>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0086], ClientKeyExchange

>>> ??? [length 0005]

>>> TLS 1.2 ChangeCipherSpec [length 0001]

>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0010], Finished

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 00ca]???

<<< ??? [length 0005]

<<< TLS 1.2 ChangeCipherSpec [length 0001]

<<< ??? [length 0005]

<<< TLS 1.2 Handshake [length 0010], Finished

禁用SSLv3的命令openssl s_client -connect 127.0.0.1:443 -ssl3 -msg的输出: - 

>>> ??? [length 0005]

>>> SSL 3.0 Handshake [length 0099], ClientHello

<<< ??? [length 0005]

<<< SSL 3.0 Alert [length 0002], fatal handshake_failure

禁用SSLv3时输出命令openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg: - 

CONNECTED(00000003)
>>> ??? [length 0005]

>>> TLS 1.2 Handshake [length 0138], ClientHello

<<< ??? [length 0005]

>>> ??? [length 0005]

>>> TLS 1.0 Alert [length 0002], fatal protocol_version

SSL调试错误在禁用SSLv3时,在Apache中为命令openssl s_client -connect 127.0.0.1:443 -tls1_2 -msg登录: - 

[Tue Nov 24 07:50:13.019993 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH01964: Connection to child 2 established (server site1.example.com:443)
[Tue Nov 24 07:50:13.023693 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH02008: SSL library error 1 in handshake (server site1.example.com:443)
[Tue Nov 24 07:50:13.023752 2015] [ssl:info] [pid 6419] SSL Library Error: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version (SSL alert number 70)
[Tue Nov 24 07:50:13.023789 2015] [ssl:info] [pid 6419] [client 127.0.0.1:32836] AH01998: Connection closed to child 2 with abortive shutdown (server site1.example.com:443)

Openssl Version info On system

在配置中使用sslscan --no-failed "site1.domain.com"时,

SSLProtocol all -SSLv2 -SSLv3命令结果: -

SSLScan Result

在配置中未使用sslscan --no-failed "site1.domain.com"

SSLProtocol all -SSLv2 -SSLv3命令结果: -

SSLScan Result

结果均未显示TLSv1.2协议的迹象。 我认为sslscan只扫描SSLv3和TLSv1.1协议。不是TLSv1.2 现在,当我在SSLLab上使用SSLProtocol all -SSLv2 -SSLv3测试此结果时未在配置中使用: -

SSLLab

它表示TLSv1.2已启用。

2 个答案:

答案 0 :(得分:1)

在线下添加以下内容&amp;检查
SSLProtocol all -SSLv2 -SSLv3 + TLSv1.2

答案 1 :(得分:1)

与SSLProtocol -all + TLSv1.2一起使用 编辑以下内容&#34; SSLCipherSuite&#34;在/etc/apache2/mods-available/ssl.conf。

来自:SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 to:
SSLCipherSuite EECDH + ECDSA + AESGCM EECDH + aRSA + AESGCM EECDH + ECDSA + SHA384 \ EECDH + ECDSA + SHA256 EECDH + aRSA + SHA384 EECDH + aRSA + SHA256 EECDH + aRSA + RC4 \ EECDH EDH + aRSA RC4!aNULL!eNULL!LOW! 3DES!MD5!EXP!PSK!SRP!DSS

相关问题
最新问题