Home > Operation and Maintenance > Apache > How to disable sslv3 in apache

How to disable sslv3 in apache

王林
Release: 2020-12-25 11:04:21
forward
3735 people have browsed it

How to disable sslv3 in apache

Introduction:

ssl 3.0 is considered unsafe because it uses RC4 encryption or CBC mode encryption, and the former is susceptible to bias attacks, while the latter Leads to POODLE attack.

In production environments, this vulnerability is often scanned. The solution is to disable the protocol on the apache server.

(Learning video sharing: Programming video)

1. Environment preparation

Understand SSL and TLS: http is used in the data transmission process. Plain text, in order to solve this problem https came into being, and ssl is an encryption protocol based on https. When SSL was updated to version 3.0, IETF (Internet Engineering Task Force) standardized SSL3.0. The standardized protocol is TLS1.0, so TLS is the standardized product of SSL. TLS currently has 1.0, 1.1, There are three versions of 1.2, and 1.0 is used by default. At this point we have a basic understanding of SSL and TLS.

The server operating environment required for the web server to support TLS1.2:

Apache对应版本应>=2.2.23;
OpenSSL对应版本应>= 1.0.1
Copy after login

View the current server apache version

[root@host-192-168-149-10 conf.d]# httpd -v
Server version: Apache/2.4.29 (Unix)
Server built:   Jan 22 2018 16:51:25
Copy after login

openssl version

[root@host-192-168-149-10 conf.d]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
Copy after login

2. Environment rectification

Test domain names with security vulnerabilities. Access through sslv3 as follows can return information normally. Attackers may use this vulnerability to harm the system.

[root@host-192-168-149-10 conf.d]# curl  --sslv3 https://cs.df230.xyz/test/api/configs/fedch/all
{
  "overdue" : false,
  "success" : true,
  "errorCode" : null,
  "message" : "请求成功",
  "data" : {
    "global" : {
      "copyright" : "功能清单",
}
Copy after login

apache supports SSLv3, TLSv1, TLSv1.1, TLSv1.2 protocols by default

(Note: the ssl function needs to enable LoadModule ssl_module modules/mod_ssl.so in http.conf)

The default configuration of apache is as follows

SSLProtocol All -SSLv2
Copy after login

Enter the directory /usr/local/apache/conf/extra

vi modify ssl.conf as follows to close the sslv3 protocol

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLProtocol TLSv1.2
Copy after login

After the configuration is saved, service httpd restart is required to restart apache to make the configuration take effect

Test sslv3 access again, unable to access

[root@host-192-168-149-10 conf.d]# curl  --sslv3 https://cs.df230.xyz/test/api/configs/fedch/al
curl: (35) SSL connect error
Copy after login

Enter development mode through Google browser F12, you can see the browsing The SSL protocol used by the server to access the current domain name is TLS1.2.

How to disable sslv3 in apache

At this point, the vulnerability rectification is completed, so easy!

Related recommendations: apache tutorial

The above is the detailed content of How to disable sslv3 in apache. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template