如何解决 Web/Mail Server 使用了不安全的 SSL 通讯协定

弱点扫瞄

弱点: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

  • Severity: High
  • Risk: A TLS service was observed supporting weak protocols.
  • Recommendation: Disable the protocols listed in the evidence column of the measurement.

解决方法

说明

2022 年,SSL 与 TLS 通讯协定被列为不安全的版本有:

  • SSL 2.0, 3.0
  • TLS 1.0, 1.1 (TLS 1.0 有时也被视为 SSL 3.1)

安全的版本只有:

  • TLS 1.2, 1.3

简单来说,只要修改设定档,关闭这些不安全的通讯协定版本即可。

执行步骤

[Web Server (Apache)]

1. 编辑 /etc/httpd/conf.d/ssl.conf,修改 SSLProtocol 参数如下:

SSLProtocol -all -TLSv1 -TLSv1.1 +TLSv1.2 -SSLv3

2. 重新启动 Apache:

$ service httpd restart

[Mail Server (Devecot)]

1. 编辑 /etc/dovecot/conf.d/10-ssl.conf,修改 ssl_protocols 参数如下:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

2. 重新启动 Dovecot:

$ service dovecot restart

参考

  1. No comments yet.

return top

%d 位部落客按了赞: