看到一篇 Strong SSL Security on Apache2 文章,沒辦法嘛 2014 年是 SSL/TLS 安全性元年,免不了有看到不錯的文章就來一下

都快對 SSL/TLS 麻痺了

The BEAST attack and RC4

RC4 隸屬於 TLS 1.0,因 BEAST 攻擊,及 NSA 可能破解了 RC4,使得 RC4 目前已不安全了,需關閉它

SSL Compression (CRIME attack)

SSLCompression off

SSLv2 and SSLv3

SSLProtocol All -SSLv2 -SSLv3

The Cipher Suite

The recommended cipher suite:

SSLCipherSuite AES256+EECDH:AES256+EDH

The recommended cipher suite for backwards compatibility (IE6/WinXP):

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 

 

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
http://drops.wooyun.org/tips/4403
最後修改日期: 2015 年 01 月 28 日

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。