如何解決 Web/Mail Server 使用了不安全的 SSL 通訊協定
弱點掃瞄
弱點: SSL/TLS Service Supports Weak Protocol
Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.
- Severity: High
- Risk: A TLS service was observed supporting weak protocols.
- Recommendation: Disable the protocols listed in the evidence column of the measurement.
解決方法
說明
2022 年,SSL 與 TLS 通訊協定被列為不安全的版本有:
- SSL 2.0, 3.0
- TLS 1.0, 1.1 (TLS 1.0 有時也被視為 SSL 3.1)
安全的版本只有:
- TLS 1.2, 1.3
簡單來說,只要修改設定檔,關閉這些不安全的通訊協定版本即可。
執行步驟
[Web Server (Apache)]
1. 編輯 /etc/httpd/conf.d/ssl.conf,修改 SSLProtocol 參數如下:
SSLProtocol -all -TLSv1 -TLSv1.1 +TLSv1.2 -SSLv3
2. 重新啟動 Apache:
$ service httpd restart
[Mail Server (Devecot)]
1. 編輯 /etc/dovecot/conf.d/10-ssl.conf,修改 ssl_protocols 參數如下:
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
2. 重新啟動 Dovecot:
$ service dovecot restart
No comments yet.