我在摆脱服务器漏洞方面遇到了一些麻烦。 Sweet32漏洞处理我的Web服务器上的中等强度密码套件。扫描仪输出如下所示,"远程主机支持使用提供中等强度加密的SSL密码。 Nessus认为中等强度是使用至少64位且小于112位的密钥长度的任何加密,否则使用3DES加密套件。"
在服务器上找到以下中等强度密码:
EDH-RSA-DES-CBC3-SHA;
ECDHE-RSA-DES-CBC3-SHA;
DES-CBC3-SHA
我尝试编辑Apache Tomcat的 server.xml 文件。我一直在编辑 server.xml 文件的SSL连接器部分。其内容如下,但漏洞仍在被标记。我也曾在注册表中禁用某些密码套装,例如3DES。有关如何修复此漏洞的任何想法都会非常有用。
<Connector URIEncoding="UTF-8"
clientAuth="false"
port="443"
scheme="https"
minSpareThreads="5"
enableLookups="true"
acceptCount="100"
maxThreads="200"
secure="true"
SSLEnabled="true"
keystoreFile="**********"
keystorePass="*********"
sslProtocol="TLSv1.2"
algorithm="IbmX509"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/plain,text /javascript,application/javascript,application/x-javascript"
SSLCipherSuite="TLS_EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES:!ECDHE-RSA-DES-CBC3-SHA"
/>
答案 0 :(得分:0)
删除server.xml文件中列出的密码应解决此问题。
像这样:
SSLCipherSuite="TLS_EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES"