Website SSL vulnerability repair Guide

Source: Internet
Author: User

Website SSL vulnerability repair Guide

Some time ago, I scanned the company's website and used the awvs scanner. I found several SSL vulnerabilities. I found some repair suggestions on the Internet and shared them with you, if you encounter the same problem as me, you can use this solution.

The SSL vulnerabilities of Web sites mainly include the following:

1. SSL RC4 Cipher Suites Supported

2. SSL Weak Cipher Suites Supported

3. The FREAK attack (export cipher suites supported)

4. The POODLE ataack (SSLV3 supported)

5. SSL 2.0 deprecated protocol

6. OpenSSL 'changecipherspec 'MiTM Vulnerability

I use the official awvs recommended repair suggestions. The detailed summary is as follows:

1. disable SSL 2.0 and SSL 3.02, disable TLS 1.0 compression, and weak passwords. 3. Modify the following configurations for different web servers:

Use the following configurations for OPENSSL:

ECDH + AESGCM: DH + AESGCM: ECDH + AES256: DH + AES256: ECDH + AES128: DH + AES: ECDH

+ 3DES: DH + 3DES: RSA + AESGCM: RSA + AES: RSA + 3DES :! ANULL :! MD5

Apache Server Configuration Guide (mod_ssl ):

For Apache HTTP Server 2.2 +/2.4 + with mod_ssl, configuration file apache/conf/extra/httpd-ssl.conf

SSLProtocol ALL -SSLv2 -SSLv3SSLHonorCipherOrder OnSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5SSLCompression Off
Note that the Linux version of The Redhat series may be configured as follows:

Some apache versions do not support SSLCompression Off configuration. You may need to insert OPENSSL_NO_DEFAULT_ZLIB = 1 in the/etc/sysconfig/httpd file to disable ssl compression.

Nginx Server Configuration Guide:
ssl_prefer_server_ciphers On;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;

Note that disabling TLS compression in nginx may be related to the OpenSSL and nginx versions you run. If you use OpenSSL 1.0, nginx version 1.1.6 or later or 1.0.9 + TLS compression is disabled by default. If OpenSSL1.0 or earlier is used, nginx 1.2.2 +/1.3.2 must be used.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.