Website SSL vulnerability repair Guide
Some time ago, I scanned the company's website and used the awvs scanner. I found several SSL vulnerabilities. I found some repair suggestions on the Internet and shared them with you, if you encounter the same problem as me, you can use this solution.
The SSL vulnerabilities of Web sites mainly include the following:
1. SSL RC4 Cipher Suites Supported
2. SSL Weak Cipher Suites Supported
3. The FREAK attack (export cipher suites supported)
4. The POODLE ataack (SSLV3 supported)
5. SSL 2.0 deprecated protocol
6. OpenSSL 'changecipherspec 'MiTM Vulnerability
I use the official awvs recommended repair suggestions. The detailed summary is as follows:
1. disable SSL 2.0 and SSL 3.02, disable TLS 1.0 compression, and weak passwords. 3. Modify the following configurations for different web servers:
Use the following configurations for OPENSSL:
ECDH + AESGCM: DH + AESGCM: ECDH + AES256: DH + AES256: ECDH + AES128: DH + AES: ECDH
+ 3DES: DH + 3DES: RSA + AESGCM: RSA + AES: RSA + 3DES :! ANULL :! MD5
Apache Server Configuration Guide (mod_ssl ):
For Apache HTTP Server 2.2 +/2.4 + with mod_ssl, configuration file apache/conf/extra/httpd-ssl.conf
SSLProtocol ALL -SSLv2 -SSLv3SSLHonorCipherOrder OnSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5SSLCompression Off
Note that the Linux version of The Redhat series may be configured as follows:
Some apache versions do not support SSLCompression Off configuration. You may need to insert OPENSSL_NO_DEFAULT_ZLIB = 1 in the/etc/sysconfig/httpd file to disable ssl compression.
Nginx Server Configuration Guide:
ssl_prefer_server_ciphers On;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5;
Note that disabling TLS compression in nginx may be related to the OpenSSL and nginx versions you run. If you use OpenSSL 1.0, nginx version 1.1.6 or later or 1.0.9 + TLS compression is disabled by default. If OpenSSL1.0 or earlier is used, nginx 1.2.2 +/1.3.2 must be used.