Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
apachessl:“;过时的密钥交换(RSA)“;_Apache_Ssl_Openssl_Lets Encrypt_Mod Ssl - Fatal编程技术网
Fatal编程技术网
  • apache/
  • apachessl:“;过时的密钥交换(RSA)“;

apachessl:“;过时的密钥交换(RSA)“;

apache ssl openssl

apachessl:“;过时的密钥交换(RSA)“;,apache,ssl,openssl,lets-encrypt,mod-ssl,Apache,Ssl,Openssl,Lets Encrypt,Mod Ssl,我有一个网站,它使用Apache和SSL托管,并带有Let's Encrypt CertyFormat。在开发者工具->安全的Chrome/Chrome浏览器中,我看到以下消息: Obsolete Connection Settings The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).

我有一个网站,它使用Apache和SSL托管,并带有Let's Encrypt CertyFormat。在开发者工具->安全的Chrome/Chrome浏览器中,我看到以下消息:

Obsolete Connection Settings

The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and a strong cipher (AES_128_GCM).
下面是我的Apache SSL配置:

<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
Listen 443

<VirtualHost _default_:443>
    ServerName localhost
    Include /etc/apache2/vhosts.d/default_vhost.include
    ErrorLog /var/log/apache2/ssl_error_log
    <IfModule log_config_module>
            TransferLog /var/log/apache2/ssl_access_log
    </IfModule>
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
    SSLHonorCipherOrder On
    SSLCertificateFile /home/wof/ssl/fullchain1.pem
    SSLCertificateKeyFile /home/wof/ssl/privkey1.pem
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/localhost/cgi-bin">
            SSLOptions +StdEnvVars
    </Directory>
    <IfModule setenvif_module>
            BrowserMatch ".*MSIE.*" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
    </IfModule>
    <IfModule log_config_module>
            CustomLog /var/log/apache2/ssl_request_log \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>

# vim: ts=4 filetype=apache


听我说
服务器名本地主机
Include/etc/apache2/vhosts.d/default_vhost.Include
ErrorLog/var/log/apache2/ssl\u错误\u日志
传输日志/var/log/apache2/ssl\u访问日志
斯伦金安
SSLProtocol ALL-SSLv2-SSLv3
SSLCipherSuiteECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA228-SHA256:ECDHE-ECDHE-ECDSA-RSA-AES128-SHA:ECDHE-ECDSA-128-ESA256:ECDHE-ECAESSA-384E-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES256:HIGH:!RC4:!阿努尔:!埃努尔:!出口:!德斯:!3DES:!MD5:!PSK
SSLHonorCipherOrder开启
SSLCertificateFile/home/wof/ssl/fullchain1.pem
SSLCertificateKeyFile/home/wof/ssl/privkey1.pem
发展+标准
发展+标准
浏览器匹配“*MSIE.*”\
nokeepalive ssl不干净关闭\
降级-1.0力响应-1.0
CustomLog/var/log/apache2/ssl\u请求\u日志\
%t%h%{SSL\u协议}x%{SSL\u密码}x\%r\%b
#vim:ts=4 filetype=apache
我应该在这个配置文件中更改什么来摆脱这个过时的密钥交换?

很抱歉我之前的错误。把一些事情搞混了

这是如何查看服务器上支持哪些密码以及它们的首选顺序:

nmap --script ssl-enum-ciphers -p 443 warsoftheheroes.eu

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 17:23 CEST
Nmap scan report for warsoftheheroes.eu (81.163.204.80)
Host is up (0.051s latency).
rDNS record for 81.163.204.80: pppoe-static-a-80.interblock.pl
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A
如您所见,TLSv1.2的第三个选项是TLS_RSA_和_AES_128_GCM_SHA256,这是您在配置中启用的“AES128”的一部分

Steffen Ullrich关于缺少ECDHE支持的说法可能是正确的,这可能就是为什么RSA密钥交换密码处于第三位的原因。我认为,如果支持ECDHE密码,您会更喜欢它们。

根据您的网站不支持任何ECDHE密码,即使看起来您已经在服务器配置中配置了这些密码。由于TLS1.2支持(您有)和ECDHE支持(您没有)都被添加到OpenSSL 1.0.1中,我猜想您有一个版本的OpenSSL,它在编译时不支持ECC(因此也不支持ECDHE)

据我所知,RHEL(以及CentOS)和Fedora的较旧版本由于专利原因被取消了ECC支持,因此您可能会检查您是否正在使用受影响的系统之一。
openssl密码-V
的输出为您提供了支持的密码,您应该检查那里是否支持ECDHE。

“因此在您的情况下,RSA是首选的密钥交换方法。”-这是错误的。第一个条目如
ECDHE-RSA-AES128-GCM-SHA256
使用RSA进行身份验证,而ECDHE用于密钥交换。请参阅显示身份验证(Au=…)和密钥交换(Kx=…)的
openssl密码-V
。是的,我已从SSLCipherSuite中删除了所有RSA条目,但没有任何更改,消息仍在那里。您的服务器似乎没有选择基于ECDHE的密码套件。您使用的是什么版本的apache和openssl?Stack Overflow是一个解决编程和开发问题的网站。这个问题似乎离题了,因为它与编程或开发无关。请参见帮助中心中的。也许或者会是一个更好的提问的地方。还可以看到,当我通过谷歌搜索某个地方询问我的问题时(apache、stackexchange),大多数结果都指向stackoverflow。“我很惊讶,但我追求了大多数人。”巴托斯-是的,堆栈溢出是一个垃圾场。不要根据你从过去所看到的来判断话题是否恰当。还要看。通常,您可以使用
SSLProtocol-all+TLSv1+TLSv1.1+TLSv1.2
SSLCipherSuite“HIGH:!aNULL:!kRSA:!MD5:!RC4”
清除大多数报告卡问题。另请参见关于超级用户的内容。问题是openssl出现/编译时使用了BindList使用标志(Gentoo)。谢谢你给我指明了正确的方向。