请提供将通过 PCI 合规性扫描的 Apache SSLCipherSuite
我正在尝试让运行 Apache 2.2.17 的 Fedora 14 服务器通过 McAfee ScanAlert 的 PCI-DSS 合规性扫描。我第一次尝试使用 ssl.conf 中设置的默认 SSLCipherSuite 和 SSLProtocol 指令...
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
失败,因为启用了弱密码。使用 ssllabs 和serversniff 工具进行扫描显示,40 位和 56 位密钥确实可用。
然后我更改为...
SSLProtocol -ALL +SSLv3 +TLSv1
并尝试了各个站点上报告的所有以下字符串,以通过来自各种供应商的 PCI 扫描...
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
我在更新后重新启动 apache,并且 apachectl configtest 说我的语法没问题。随后的 ScanAlert 扫描全部失败,其他扫描工具继续显示可用的 40 和 56 位密码。我尝试将 SSLProtocol 和 SSLCipherSuite 直接添加到 httpd.conf 中的 VirtualHost,但这没有帮助。
实际上感觉像是某个地方的某些东西覆盖了这些设置,但除了 ssl.conf 之外,我找不到任何设置这些值的东西。
如果有人可以提供一个已知良好且已通过最近 PCI 扫描的 SSLCipherSuite,那么它将对追踪我的问题有很大帮助。
谢谢。
I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf...
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available.
I then changed to...
SSLProtocol -ALL +SSLv3 +TLSv1
and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
I am restarting apache after updates and apachectl configtest says that my syntax is ok. Subsequent ScanAlert scans have all failed and other scanning tools continue to show 40 and 56 bit ciphers available. I have tried adding SSLProtocol and SSLCipherSuite directly to the VirtualHost in httpd.conf and that has not helped.
It actually feels like something somewhere is overriding these settings but I cannot find anything anywhere that sets these values other than ssl.conf.
If someone could provide a known good SSLCipherSuite that has passed a recent PCI scan it would help a lot in tracking down my problem.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
随着新漏洞的发现和浏览器的升级,这里的答案可能(将会)变得过时。我建议您依赖 Mozilla SSL 配置生成器< /a> 检查您应该使用哪种配置。
2018 年更新:现在强制执行完美前向保密是合理的,除非您需要特别支持旧版浏览器。截至 2018 年 11 月,只有“现代”配置文件才能启用完美前向保密。要了解更多相关信息,请访问:
SSL 实验室:部署前向保密 < /一>
<一href="http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html" rel="nofollow noreferrer">配置 Apache、Nginx 和 OpenSSL前向保密
As new vulnerabilities are discovered and browsers are upgraded, the answers here can (will) become outdated. I'd suggest you rely on Mozilla SSL Configuration Generator to check which configuration you should use.
UPDATE 2018: It's reasonable to enforce Perfect Forward Secrecy now, unless you need to support older browsers specifically. As of November 2018, only the "modern" profile will enable Perfect Forward Secrecy. Read more about it at:
SSL Labs: Deploying Forward Secrecy
Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
经过几个小时的搜索和拉扯,我发现了我的问题。
ssl.conf 中的默认 SSLProtocol 和 SSLCipherSuite 指令存储在标记为
我的实际站点有自己的容器,标有其 IP 地址,例如:
_default_容器中的值没有任何影响,但将更强的 SSLProtocol 和 SSLCipherSuite 指令直接添加到站点特定的 VirtualHost 容器最终使它们生效。仍然不确定为什么调整
_default_容器或将它们放在 httpd.conf 中的 VirtualHost 容器中不起作用。作为问题的明确答案,我用...
通过了我的 ScanAlert 扫描。我敢打赌上面的大多数其他字符串也可以工作。
After hours of searching and hair pulling I found my problem.
The default SSLProtocol and SSLCipherSuite directives in my ssl.conf are stored in a default container labeled as
<VirtualHost _default_:443>.My actual site has it's own container labeled with it's IP address eg:
<VirtualHost 64.34.119.12:443>. Changing the values in the_default_container had no affect but adding the stronger SSLProtocol and SSLCipherSuite directives directly to the site specific VirtualHost container finally allowed them to take effect.Still not sure why adjusting the
_default_container or having them in the VirtualHost container in httpd.conf didn't work.As a definitive answer to the question, I used...
to pass my ScanAlert scan. I would bet that most of the other strings above would work as well.
您是否告诉 Apache 强制执行密码顺序?
SSLHonorCipherOrder 上
Did you tell Apache to enforce cipher order?
SSLHonorCipherOrder on
仅供参考 - 我发现此设置:
生成与此设置完全相同的协议列表:
根据:
FYI - I found that this setting:
Produced the exact same list of protocols as this setting:
According to:
以下配置是 Qualys 推荐的,它在他们的扫描仪上给了我们 A
是的,还要确保 Apache 能够读取新配置。我将其直接放置在虚拟主机容器内。
从他们的网站: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
The following configuration is recommended by Qualys, it gave us a A on their scanner
Yes, also make sure Apache is able to read the new configuration. I place this directly inside the virtual host container.
From their website: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
请查看此处 Mozilla Wiki。
本文档的目标是帮助运营团队在服务器上配置 TLS。
Look here Mozilla Wiki.
The goal of this document is to help operational teams with the configuration of TLS on servers.