仍是 UBUNTU 新手,如有不当之处,请多包涵。我在 Askubuntu 上发布了这个问题,但有人建议将其发布到 superuser.com 上
我被要求停止支持 TLS1.0 密码。通过 Google 搜索发现,在 ssl.conf 中添加以下行可以从 httpd 中删除 TLS1.0:
SSLProtocol all -TLSv1
kali linux 上有一个“sslscan”,我用它来扫描端口 443 的 IP,以列出该 IP 支持的密码。
现在,在删除 TLS1.0 密码之前,SSLSCAN 可以正常工作并给出如下正确结果:
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred Server Cipher(s):
TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
SSL Certificate:
"SSL Certificate details , I think is confidential to my organization so not sharing it"
删除 TLS1.0 密码后 SSLSCAN 结果如下:
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred Server Cipher(s):
TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Failed to connect to get certificate.
为什么在删除 TLS1.0 密码后,sslscan 无法连接以获取证书?我是否错误地删除了 TLS1.0?如果是,禁用/删除 TLS1.0 密码的正确方法是什么?或者这是正常的?sslscan 是否仅使用 TLS1.0 来扫描我已禁用的端口 443 的 IP,即为什么无法获取证书?
如果有人想在 Askubuntu 上查看这个问题,这里是链接:https://askubuntu.com/questions/819568/sslscan-not-getting-executed-properly-after-removing-tls1-0