- Vixual - http://www.vixual.net/blog -

如何解決 Web/Mail Server 使用了不安全的 SSL 通訊協定

弱點掃瞄

弱點: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

解決方法

說明

2022 年,SSL 與 TLS 通訊協定被列為不安全的版本有:

安全的版本只有:

簡單來說,只要修改設定檔,關閉這些不安全的通訊協定版本即可。

執行步驟

[Web Server (Apache)]

1. 編輯 /etc/httpd/conf.d/ssl.conf,修改 SSLProtocol 參數如下:

SSLProtocol -all -TLSv1 -TLSv1.1 +TLSv1.2 -SSLv3

2. 重新啟動 Apache:

$ service httpd restart

[Mail Server (Devecot)]

1. 編輯 /etc/dovecot/conf.d/10-ssl.conf,修改 ssl_protocols 參數如下:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

2. 重新啟動 Dovecot:

$ service dovecot restart

參考