如何解決 Web/Mail Server 使用了不安全的 SSL 通訊協定

弱點掃瞄

弱點: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

  • Severity: High
  • Risk: A TLS service was observed supporting weak protocols.
  • Recommendation: Disable the protocols listed in the evidence column of the measurement.

解決方法

說明

2022 年,SSL 與 TLS 通訊協定被列為不安全的版本有:

  • SSL 2.0, 3.0
  • TLS 1.0, 1.1 (TLS 1.0 有時也被視為 SSL 3.1)

安全的版本只有:

  • TLS 1.2, 1.3

簡單來說,只要修改設定檔,關閉這些不安全的通訊協定版本即可。

執行步驟

[Web Server (Apache)]

1. 編輯 /etc/httpd/conf.d/ssl.conf,修改 SSLProtocol 參數如下:

SSLProtocol -all -TLSv1 -TLSv1.1 +TLSv1.2 -SSLv3

2. 重新啟動 Apache:

$ service httpd restart

[Mail Server (Devecot)]

1. 編輯 /etc/dovecot/conf.d/10-ssl.conf,修改 ssl_protocols 參數如下:

ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

2. 重新啟動 Dovecot:

$ service dovecot restart

參考

  1. No comments yet.

return top

%d 位部落客按了讚: