Apache HTTPD SSL 關閉 SSL v2 /v3 及 TLSv1.0

2017110418:38
SSL/TLS  五個協定(protocol):

SSLv2 不安全
SSLv3 不安全
TLSv1.0 不安全  參考
TLSv1.1 安全
TLSv1.2 安全



檢測 web server 支援哪些協定 protocol

$ nmap --script ssl-enum-ciphers -p 443  www.xxx.com

Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-04 18:37 CST
Nmap scan report for www.xxx.com (35.194.x.x)
Host is up (0.00076s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds




Apache httpd 設定


httpd-ssl.conf
SSLProtocol all -SSLv2 -SSLv3




Nginx

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;




線上 檢測網站 SSL 功能

SSL Server Test
會給 A+ / A  ~~ F 的分數,有詳細的檢測報告,SSL 設定完 必測試


Test SSL Protocol Support ( foundeo.com )
檢測網站的SSLv2 and SSLv3 / TLS 各版本的支援狀況


Cloudflare SSL Test
Cloudflare 提供的 SSL 檢測工具



憑證SSL小工具 ( www.sslbuyer.com )


如何修補網站上SSL的相關漏洞! ( www.sslbuyer.com )