如何在Apache中禁用SSLv3支持?
我正在尝试重新配置我的Apache服务器,使其只使用TLSv1。然而,它仍然使用某些浏览器返回到SSLv3。
我使用以下设置设置了标记:
<Connector ...
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1" />我是缺少了配置设置,还是有一些我不应该拥有的礼物?
回答 6
Server Fault用户
发布于 2015-10-16 09:58:41
我有一个类似的用例,它允许Tomcat 7只严格使用TLSv1.2,而不是回到以前的SSL协议,如TLSv1.1或SSLv3。
我使用的是:C:\apache 7.0.64-64位和C:\Java64\jdk1.8.0_60。
以下说明:https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html。Tomcat对SSL支持的设置相对简单。
从许多参考资料中,我测试了许多组合,最后我找到了1,它将强制Tomcat 7只接受TLSv1.2。两个需要触摸的地方:
1)在C:\apache-tomcat-7.0.64-64位\conf\server.xml中
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="ssl/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />哪里
keystoreFile =本地自签名信任存储
org.apache.coyote.http11.Http11Protocol = JSSE实现。
我们不使用org.apache.coyote.http11.Http11AprProtocol,因为它是由openssl驱动的。底层的openssl将返回到支持以前的SSL协议。
2)启动Tomcat时,启用以下环境参数。
set JAVA_HOME=C:\Java64\jdk1.8.0_60
set PATH=%PATH%;C:\Java64\jdk1.8.0_60\bin
set CATALINA_HOME=C:\apache-tomcat-7.0.64-64bit
set JAVA_OPTS=-Djdk.tls.client.protocols="TLSv1.2" -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dhttps.protocols="TLSv1.2"JAVA_OPTS限制是必需的,否则Tomcat (由Java8驱动)将倒退到支持早期的SSL协议。
启动Tomcat C:\apache-tomcat-7.0.64-64bit\bin\startup.bat
我们可以看到JAVA_OPTS出现在Tomcat启动日志中。
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.client.protocols=TLSv1.2
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dsun.security.ssl.allowUnsafeRenegotiation=false
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dhttps.protocols=TLSv1.2然后,我们可以使用openssl命令来验证我们的设置。首先连接本地主机:8443与TLSv1.1协议。Tomcat拒绝使用服务器证书进行答复。
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_1
Loading 'screen' into random state - done
CONNECTED(000001C0)
5372:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes使用TLSv1.2协议连接本地主机:8443,Tomcat用证书答复ServerHello:
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
(ignored)
-----END CERTIFICATE-----
subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2367 bytes and written 443 bytes这证明Tomcat现在只严格响应TLSv1.2请求。
Server Fault用户
发布于 2016-05-10 19:42:50
Tomcat 7文档明确指出,支持sslEnabledProtocols和sslProtocol选项,并且它们之间存在重叠:
Server Fault用户
发布于 2014-10-29 19:17:28
在Tomcat 6.0.41中,您需要使用阻塞连接器,因为NIO 1忽略了这些设置。
http://wiki.apache.org/tomcat/Security/POODLE
http://mail-archives.apache.org/mod_mbox/tomcat-users/201410.mbox/%3C5440F1C6.3040205@apache.org%3E
连接器port="443“protocol="org.apache.coyote.http11.Http11Protocol”maxThreads=200“scheme="https”secure=“真”SSLEnabled=“真”clientAuth=“false
keystoreFile="tomcat.jks" keystorePass="changeit" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />https://serverfault.com/questions/637649
复制相似问题
腾讯云开发者
