如何解决 Web/Mail Server 使用了不安全的 SSL 通讯协定
弱点扫瞄
弱点: SSL/TLS Service Supports Weak Protocol
Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.
- Severity: High
- Risk: A TLS service was observed supporting weak protocols.
- Recommendation: Disable the protocols listed in the evidence column of the measurement.
解决方法
说明
2022 年,SSL 与 TLS 通讯协定被列为不安全的版本有:
- SSL 2.0, 3.0
- TLS 1.0, 1.1 (TLS 1.0 有时也被视为 SSL 3.1)
安全的版本只有:
- TLS 1.2, 1.3
简单来说,只要修改设定档,关闭这些不安全的通讯协定版本即可。
执行步骤
[Web Server (Apache)]
1. 编辑 /etc/httpd/conf.d/ssl.conf,修改 SSLProtocol 参数如下:
SSLProtocol -all -TLSv1 -TLSv1.1 +TLSv1.2 -SSLv3
2. 重新启动 Apache:
$ service httpd restart
[Mail Server (Devecot)]
1. 编辑 /etc/dovecot/conf.d/10-ssl.conf,修改 ssl_protocols 参数如下:
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
2. 重新启动 Dovecot:
$ service dovecot restart
No comments yet.