在我们最近对服务器进行的安全扫描中,我们得到了以下评论:
通常,对于 Apache/mod_ssl,httpd.conf 或 ssl.conf 应包含以下行:
SSL协议-ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
对于 Apache/apache_ssl,请在配置文件 (httpsd.conf) 中包含以下行:
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
mod_ssl.conf 文件已按照指示更新
使用以下行更新 apache2.con:
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
重新启动 Apache2 ,我得到:
命令“SSLRequireCipher”无效,可能拼写错误或由
模块未包含在服务器配置中
我在 apache2.conf 中尝试了这一行:
SSL 要求 %{SSL_CIPHER_USEKEYSIZE} >= 128
并且 Apache2 已成功重新启动,但是在重新运行扫描时我得到了相同的结果:
SSL 服务器允许匿名身份验证漏洞
In a recent security scan we did on our servers we got the following comment:
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
the mod_ssl.conf file was updated as instructed
updating the apache2.con with this line:
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
And restarting Apache2 , I get:
Invalid command 'SSLRequireCipher', perhaps misspelled or defined by a
module not included in the server configuration
I tried this line in the apache2.conf:
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
and Apache2 restarted successfully , but the on rerunning the scan I got the same:
SSL Server Allows Anonymous Authentication Vulnerability
发布评论
评论(1)
尝试
SSLCipherSuite进行常规配置和 %{SSL_CIPHER} 上使用 rel="nofollow">SSLRequire和正则表达式。编辑:
如果您在 Ubuntu 上运行,
/etc/apache2/mods-enabled/ssl.conf中的默认配置应该可以解决您的问题:Try
SSLCipherSuitefor the general configuration andSSLRequirewith a regexp on%{SSL_CIPHER}if you need a require for a specific part of your server.EDIT:
If you're running on Ubuntu, the default configuration in
/etc/apache2/mods-enabled/ssl.confshould solve your problems: