为什么TLS1.2无法在Apache 2.4中使用SSLProtocol all -SSLv3 -SSLv2?

时间:2016-08-09 10:22:10

标签: apache tls1.2

我无法让TLS1.2在我的Apache实例上运行。对SSLLabs的检查表明TLSv1.1在最大值时使用(所以Chrome表示)。我的配置:

uname -a
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u2 (2016-01-02) x86_64 GNU/Linux

apachectl -v
Server version: Apache/2.4.10 (Debian)
Server built:   Jul 20 2016 06:48:18

openssl version
OpenSSL 1.0.1t  3 May 2016

我的配置:

SSLEngine on
SSLProxyEngine off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
SSLProtocol all -SSLv3 -SSLv2
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0

SSLCertificateFile /etc/ssl/xxx.crt
SSLCertificateKeyFile /etc/ssl/xxx.key
SSLCertificateChainFile /etc/ssl/xxx.crt

1 个答案:

答案 0 :(得分:1)

好的....终于。它与多个VHost有关。如果其中一个有更多“放松”的SSL设置,apache将使用它。与VHosts的配置文件的顺序有关。请参阅http://www.linuxquestions.org/questions/linux-server-73/trying-to-enable-tls-1-2-on-apache-webserver-4175551239/:“....这是因为apache选择了启用了网站的第一个vhost配置文件中的SSL设置,而不是来自网站本身的那个。”结束语