Nessus 扫描继续发现 EDH-RSA-DES-CBC3-SHA 已启用,尽管在 SSLCipherSuite 中已被禁用

tag-icon tag-icon openssl
Nessus 扫描继续发现 EDH-RSA-DES-CBC3-SHA 已启用,尽管在 SSLCipherSuite 中已被禁用

在服务器安全方面,我完全是一个新手,但我会尝试正确地解释我的问题。

我正在尝试禁用 Mac 服务器上用于 Apache TLS 终止的密码套件以通过 nessus 扫描,除了一个EDH-RSA-DES-CBC3-SHA似乎一直失败的密码套件外,其他所有密码套件都通过了。我四处寻找,似乎找不到答案。我的服务器的 conf 文件如下。这是我从不同的博客中得到的,但它似乎不起作用。

Library/Server/Web/Config/apache2/sites/0000_any_443_www.mySite.com.conf

<VirtualHost 127.0.0.1:34580>
ServerName http://mysitte.com:80
ServerAdmin [email protected]
DocumentRoot "/Library/Server/Web/Data/Sites/Default/myfoler"
DirectoryIndex index.html index.php default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
    SSLEngine Off
    SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
    SSLProtocol -all +TLSv1.1 +TLSv1.2
    SSLProxyEngine On
    SSLProxyProtocol -all +TLSv1.1 +TLSv1.2
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/Default/myfolder">
    Options All -Indexes -ExecCGI -Includes +MultiViews
    AllowOverride None
    <IfModule mod_dav.c>
        DAV Off
    </IfModule>
    <IfDefine !WEBSERVICE_ON>
        Require all denied
        ErrorDocument 403 /customerror/websitesoff403.html
    </IfDefine>
</Directory>

当我运行测试时

Testing ECDHE-ECDSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-3DES-EDE-CBC-SHA...NO (no ciphers available)
Testing SRP-RSA-3DES-EDE-CBC-SHA...NO (no ciphers available)
Testing SRP-3DES-EDE-CBC-SHA...NO (no ciphers available)
Testing EDH-RSA-DES-CBC3-SHA...YES !!!!!!!!!!!!(This is failling)
Testing EDH-DSS-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing DH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing DH-DSS-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ADH-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-DES-CBC3-SHA...NO (sslv3 alert handshake failure)
Testing DES-CBC3-SHA...YES
Testing PSK-3DES-EDE-CBC-SHA...NO (no ciphers available)
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDH-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)

相关内容