Shulou(Shulou.com)06/02 Report--

This article mainly introduces how to disable sslv3 in apache. It is very detailed and has a certain reference value. Friends who are interested must finish it!

Introduction:

Ssl 3.0 is considered insecure because it uses RC4 encryption, which is vulnerable to biased attacks, and CBC mode encryption, which can lead to POODLE attacks.

This vulnerability is often scanned in production environments, and the solution is to deactivate the protocol on the apache server.

I. Environmental preparation

Understand that SSL and TLS:http use plaintext in the process of data transmission. In order to solve this problem, https arises at the historic moment, ssl is an encryption protocol based on https. When ssl is updated to version 3.0, IETF (Internet Engineering Task Force) standardizes ssl3.0, and the standardized protocol is TLS1.0, so TLS is the standardized product of SSL. TLS currently has three versions of 1.0,1.1 and 1.2, using 1.0 by default, so we have a basic understanding of ssl and TLS.

The web server supports the server operating environment required by TLS1.2:

The corresponding version of Apache should be > = 2.2.23. The corresponding version of OpenSSL should be > = 1.0.1

View the current server apache version

[root@host-192-168149-10 conf.d] # httpd-vServer version: Apache/2.4.29 (Unix) Server built: Jan 22 2018 16:51:25

Openssl version

[root@host-192-168149-10 conf.d] # openssl versionOpenSSL 1.0.1e-fips 11 Feb 2013

II. Environmental rectification

Test domain names with security vulnerabilities. As shown below, information can be returned normally through sslv3 access. Attackers may exploit this vulnerability to compromise the system.

# curl-- sslv3 https://cs.df230.xyz/test/api/configs/fedch/all{ "overdue": false, "success": true, "errorCode": null, "message": "request successful", "data": {"global": {"copyright": "feature list",}

Apache supports SSLv3,TLSv1,TLSv1.1,TLSv1.2 protocol by default

(note: the ssl feature requires LoadModule ssl_module modules/mod_ssl.so to be enabled in http.conf)

The default configuration of apache is as follows

SSLProtocol All-SSLv2

Enter the directory / usr/local/apache/conf/extra

Vi modifies ssl.conf to be configured as follows to shut down the sslv3 protocol

SSLEngine onSSLProtocol all-SSLv2-SSLv3SSLProtocol TLSv1.2

After the configuration is saved, service httpd restart is required to restart apache for the configuration to take effect

Test sslv3 access again, unable to access

[root@host-192-168149-10 conf.d] # curl-sslv3 https://cs.df230.xyz/test/api/configs/fedch/alcurl: (35) SSL connect error

When you enter the development mode through google browser F12, you can see that the ssl protocol used by the browser to access the current domain name is TLS1.2.

The above is all the contents of the article "how to disable sslv3 in apache". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.