我收到了一个错误
“检测到SHA-1密码套件”
在扫描期间。目前我正在使用Apache2.4并已添加
SSLCipherSuite HIGH:!aNULL:!MD5
在httpd.conf文件中,但它似乎无法正常工作。
是否有任何解决方案可以防止此错误和其他弱ssl相关问题?
您可以使用此处提供的工具:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
找到服务器的推荐配置。基于Apache 2.4和OpenSSL 1.0.1e,它建议:
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
用于“中间”兼容性(Firefox 1,Chrome 1,IE 7,Opera 5,Safari 1,Windows XP IE8,Android 2.3,Java 7)或
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
用于“现代”兼容性(Firefox 27,Chrome 30,Windows 7,Edge,Opera 17,Safari 9,Android 5.0和Java 8上的IE 11)。
请注意,除了SSLCipherSuite之外还有其他设置,这取决于您的OpenSSL版本,因此我建议您使用上述网站为您找到最佳设置。