2022/01/01

本次弱掃出現很多台几器有相同的問題


Vulnerability Detection Result

'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)


處理方法如下

vi /etc/httpd/conf.d

修改如下

 

#SSLProtocol all -SSLv2 -SSLv3

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1


#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA


SSLCipherSuite HIGH:!3DES:!aNULL:!MD5:!SEED:!IDEA


改完後 restart 

systemctl restart httpd


以nmap進行測試


nmap --script ssl-enum-ciphers -p 443 10.0.0.1

Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-01 13:54 CST

Nmap scan report for www.nkuht.edu.tw (10.0.0.1)

Host is up (0.00029s latency).


PORT    STATE SERVICE

443/tcp open  https

| ssl-enum-ciphers:

|   TLSv1.2:

|     ciphers:

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A

|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: server

|_  least strength: A


Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

沒有留言: