.png)
我正在使用FreeBSD 9.2-RELEASE-p5包apache24-2.4.10_2。根据CVE-2014-3566 (POODLE),我继续并SSLProtocol -SSLv3通过重新启动 apache24 服务禁用它,但运行检查后似乎 SSLv3 仍然启用。
<IfModule ssl_module.c>
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
</IfModule>
我进行的其中一项检查是这样的:
openssl s_client -connect <server>:<port> -ssl3
* 更新 *
我有轻微的配置错误,在替换<IfModule ssl_module.c>为<IfModule ssl_module>apache24之后做过接受我的SSLProtocol:
[alexus@wcmisdlin02 ~]$ openssl s_client -connect j.alexus.org:443 -ssl3
CONNECTED(00000003)
139809335551816:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139809335551816:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1413476188
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
[alexus@wcmisdlin02 ~]$
答案1
根据 Mozilla 的说法,此配置应该有效:
<VirtualHost *:443>
...
SSLProtocol all -SSLv2 -SSLv3
...
</VirtualHost>