Apache 未使用 SSLProtocol & SSLCipherSuite 指令配置
我正在嘗試在我的 Web 伺服器中設置 HTTPS。我
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
在 Firefox 和ERR_SSL_VERSION_OR_CIPHER_MISMATCH
chrome 中遇到錯誤。我查了一下,發現我的 SSL 協議或密碼不受支持。在 ssllab ( https://www.ssllabs.com/ssltest/ ) 中的測試導致No secure protocol supported
. GeekFlare 的 TLS 測試 ( https://gf.dev/tls-test ) 表明沒有啟用任何 TLS 協議。我還測試了使用nmap --script ssl-enum-ciphers -p 443 mydomain.com
並獲得了這個結果Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-09 11:23 WIB Nmap scan report for mydomain.in-addr.arpa (mydomain) Host is up (0.0079s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DH_anon_WITH_AES_256_CBC_SHA - F | compressors: | NULL | cipher preference: indeterminate | cipher preference error: Too few ciphers supported | warnings: | Forward Secrecy not supported by any cipher | TLSv1.1: | ciphers: | TLS_DH_anon_WITH_AES_256_CBC_SHA - F | compressors: | NULL | cipher preference: indeterminate | cipher preference error: Too few ciphers supported | warnings: | Forward Secrecy not supported by any cipher | TLSv1.2: | ciphers: | TLS_DH_anon_WITH_AES_256_CBC_SHA - F | compressors: | NULL | cipher preference: indeterminate | cipher preference error: Too few ciphers supported | warnings: | Forward Secrecy not supported by any cipher |_ least strength: F Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds
基本上我在 ssl 配置中使用的協議和密碼都沒有使用。即使在更改協議並嘗試了特定密碼後,我也會得到相同的結果。
我正在使用 Centos 8、Apache 2.4.37 和 Openssl 1.1.1g
這是我最新的 ssl 協議和密碼設置:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
我已經將它們設置在我知道的所有 ssl 配置中,這些配置在我的伺服器中包含 SSLProtocol 和 SSLCipherSuite:
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/mydomain.conf
/etc/letsencrypt/options-ssl-apache.conf
編輯
openssl ciphers -s -v
節目TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
openssl s_client -connect server_public_IP:443
返回CONNECTED(00000003) 140639468660544:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 301 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
我已經多次嘗試其他 TLS 協議和密碼,但我所做的每一次更改都沒有做任何事情。
有什麼我錯過的嗎?
也許還有其他配置文件覆蓋了配置?
任何幫助表示讚賞,謝謝
原來問題不在配置中。我正在使用的埠根本沒有轉發,其他東西正在監聽它,從而使開放埠檢查器將埠顯示為開放。轉發埠後一切正常