https:Apache TLS 重新协商:Debian、Apache2、openssl。怎样做?
在现代浏览器上,我的网站被标记为有点不安全:
例如,Google Chrome 在“页面信息”中显示“服务器不支持 TLS 重新协商扩展”。
HTTPS 运行良好,连接已加密并且证书有效。
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# cat /etc/debian_version
5.0.6
# apache2ctl -V
Server version: Apache/2.2.9 (Debian)
Server built: Apr 20 2010 21:44:40
Server's Module Magic Number: 20051115:15
Server loaded: APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Architecture: 64-bit
Server MPM: ITK
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/experimental/itk"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT=""
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
我使用 dotdeb 存储库进行 LAMP 设置,因此使用 Apache 2.2.9。
我的有什么问题吗? 服务器配置?
或者有什么问题吗? 证书正在使用?
我应该从哪里开始追踪 问题是什么?
On modern browsers, my site gets marked as sorta insecure:
Google Chrome for example says "The server does not support the TLS renegotiation extension" in the "Page Information".
HTTPS runs fine though, the connection is encrypted and the certificate is valid.
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# cat /etc/debian_version
5.0.6
# apache2ctl -V
Server version: Apache/2.2.9 (Debian)
Server built: Apr 20 2010 21:44:40
Server's Module Magic Number: 20051115:15
Server loaded: APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Architecture: 64-bit
Server MPM: ITK
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/experimental/itk"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT=""
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"
I'm using the dotdeb repository for my LAMP setup, hence Apache 2.2.9.
Is there something wrong with my
server configuration?Or is there something wrong with the
certificate in use?Where should I begin tracking down
the issue?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据 Debian 变更日志 ,您使用的是 apache2 软件包版本 2.2.9-10+lenny8(Lenny 可用的最新版本),构建于 2010 年 4 月 20 日。
版本 2.2.9-10+lenny6 引入了该问题的快速修复(CVE-2009-3555):
因此,您应该在
Directory或Location指令中禁用SSLVerifyClient 可选。TLS 重新协商扩展 (RFC 5746) 更普遍地解决了
SSLVerifyClient 可选中的问题,它是在 OpenSSL 版本 0.9.8m 和 1.0.0a 中实现的,如果您想使用它,您将需要它。如果您没有在位置/目录指令中使用
SSLVerifyClient 可选,您的配置似乎并不不安全,它只是不支持此 TLS 扩展,而该扩展允许您继续使用客户端证书身份验证基于每个目录/位置。Apache Httpd 2.2.15 还引入了
SSLInsecureRenegotiation指令,如果您想强制执行不安全行为(并使用 OpenSSL 0.9 .8m或以上)。According to the Debian changelog, you're using the apache2 package version 2.2.9-10+lenny8 (the latest one available for Lenny), built Apr 20 2010.
Version 2.2.9-10+lenny6 had introduced a quick fix for the problem (CVE-2009-3555):
Therefore, you should disable
SSLVerifyClient optionalinDirectoryorLocationdirectives.The TLS renegotiation extension (RFC 5746), which addresses the problem in
SSLVerifyClient optionalmore generally, was implemented in OpenSSL versions 0.9.8m and 1.0.0a, which you would need if you wanted to use it.If you're not using
SSLVerifyClient optionalin location/directory directives, your configuration doesn't seem insecure, it just doesn't support this TLS extension that would have allowed you to keep using client-certificate authentication on a per-directory/location basis.Apache Httpd 2.2.15 also introduced the
SSLInsecureRenegotiationdirective if you want to force the insecure behaviour (and use OpenSSL 0.9.8m or above).我不知道为什么,但我偶然发现了似乎可以解决此问题的方法。我只有 1 个用于 SSL 的虚拟主机,并注意到来自 http -> 的重定向。 https 不起作用。我尝试了多种重写规则,但均无济于事。所以我决定在端口 80 上创建第二个虚拟主机。重定向开始工作,不仅如此,Chrome 开始在角落显示绿色 https 符号:D
I'm not sure why but I stumbled into what appears to be a fix for this issue. I had only 1 vhost for SSL and noticed a redirect from http -> https wasn't working. I tried a number of variations of the rewrite rules to no avail. So I decided to create a second vhost on port 80. The redirect started working and not only that, Chrome started showing the green https symbol in the corner :D