我的 Web 服务器上有一个测试虚拟主机,我正尝试强制执行 TLSv1.3,但 Apache 拒绝禁用 TLSv1.2。TLSv1.3 确实有效,但以下验证服务均显示 TLSv1.2 仍在我的虚拟主机上运行:
https://www.digicert.com/help/
https://www.ssllabs.com/ssltest/
https://www.immuniweb.com/ssl/
我尝试了几种不同的方法,包括以下所有方法:
SSLProtocol -all +TLSv1.3
SSLProtocol +all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProtocol -all -TLSv1.2 +TLSv1.3
SSLProtocol +TLSv1.3
系统信息:
Ubuntu 20.04.2 LTS
OpenSSL 1.1.1f
Apache 2.4.41
全局 SSL 配置:
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLCipherSuite HIGH:!aNULL
#SSLProtocol all -SSLv3
SSLUseStapling On
SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000000)"
SSLStaplingResponderTimeout 2
SSLStaplingReturnResponderErrors off
SSLStaplingFakeTryLater off
SSLStaplingStandardCacheTimeout 86400
虚拟主机配置:
<VirtualHost XX.XX.XX.XX:443>
ServerName testing.example.com
DocumentRoot "/var/www/test"
ErrorLog ${APACHE_LOG_DIR}/test-error.log
CustomLog ${APACHE_LOG_DIR}/test-access.log combined
# Include /etc/letsencrypt/options-ssl-apache.conf
SSLEngine on
SSLCompression off
SSLCertificateFile /etc/letsencrypt/live/testing.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testing.example.com/privkey.pem
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
# SSLHonorCipherOrder off
SSLProtocol -all +TLSv1.3
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
</VirtualHost>
来自“apachectl -S”的信息:
root@domain:~# apachectl -S
VirtualHost configuration:
XX.XX.XX.XX:80 is a NameVirtualHost
...
(irrelevant)
...
XX.XX.XX.XX:443 is a NameVirtualHost
default server blah.example.com (/etc/apache2/sites-enabled/sites.conf:13)
port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:13)
**port 443 namevhost test.example.com (/etc/apache2/sites-enabled/sites.conf:29)**
port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:54)
port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:93)
port 443 namevhost blah.example.org (/etc/apache2/sites-enabled/sites.conf:111)
port 443 namevhost blah.example.tk (/etc/apache2/sites-enabled/sites.conf:132)
port 443 namevhost blah.example.com (/etc/apache2/sites-enabled/sites.conf:145)
[XX:XX:XX:XX:XX:XX:XX:XX]:80 is a NameVirtualHost
...
(irrelevant)
...
[XX:XX:XX:XX:XX:XX:XX:XX]:443 is a NameVirtualHost
...
(irrelevant; note the subdomain in question only has IPV4 DNS entry no IPV6)
...
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
root@domain:~#
我已经将其从有问题的虚拟主机中注释掉,但其他虚拟主机正在使用 letsencrypt/options-ssl-apache.conf,我将在这里将其包含进去,以防它可能以某种方式干扰:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLSessionTickets off
SSLOptions +StrictRequire