问题描述
我正在尝试让运行Apache 2.2.17的Fedora 14服务器通过McAfee ScanAlert通过PCI-DSS遵从性扫描.我第一次尝试使用在ssl.conf中设置的默认SSLCipherSuite和SSLProtocol指令...
I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf...
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
失败,原因是启用了弱密码.使用ssllabs和serverniff工具进行的扫描显示,确实有40位和56位密钥可用.
failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available.
然后我更改为...
SSLProtocol -ALL +SSLv3 +TLSv1
并尝试了在各个站点上报告的以下所有字符串,以通过来自各种供应商的PCI扫描...
and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
我在更新后重新启动apache,并且apachectl configtest说我的语法还可以.随后的ScanAlert扫描全部失败,其他扫描工具继续显示40和56位密码可用.我尝试将SSLProtocol和SSLCipherSuite直接添加到httpd.conf中的VirtualHost,但这没有帮助.
I am restarting apache after updates and apachectl configtest says that my syntax is ok. Subsequent ScanAlert scans have all failed and other scanning tools continue to show 40 and 56 bit ciphers available. I have tried adding SSLProtocol and SSLCipherSuite directly to the VirtualHost in httpd.conf and that has not helped.
实际上感觉是某个地方正在覆盖这些设置,但是除了ssl.conf之外,我找不到任何可以设置这些值的地方.
It actually feels like something somewhere is overriding these settings but I cannot find anything anywhere that sets these values other than ssl.conf.
如果某人可以提供已知的优质SSLCipherSuite并通过了最近的PCI扫描,则对跟踪我的问题将大有帮助.
If someone could provide a known good SSLCipherSuite that has passed a recent PCI scan it would help a lot in tracking down my problem.
谢谢.
推荐答案
经过数小时的搜索和拔头发,我发现了自己的问题.
After hours of searching and hair pulling I found my problem.
ssl.conf中的默认SSLProtocol和SSLCipherSuite指令存储在标记为<VirtualHost _default_:443>
的默认容器中.
The default SSLProtocol and SSLCipherSuite directives in my ssl.conf are stored in a default container labeled as <VirtualHost _default_:443>
.
我的实际站点有一个自己的容器,上面标有IP地址,例如:<VirtualHost 64.34.119.12:443>
.更改_default_
容器中的值没有任何影响,但是将更强大的SSLProtocol和SSLCipherSuite指令直接添加到特定于站点的VirtualHost容器中最终使它们生效.
My actual site has it's own container labeled with it's IP address eg: <VirtualHost 64.34.119.12:443>
. Changing the values in the _default_
container had no affect but adding the stronger SSLProtocol and SSLCipherSuite directives directly to the site specific VirtualHost container finally allowed them to take effect.
仍然不确定为什么调整_default_
容器或将它们放入httpd.conf中的VirtualHost容器中不起作用.
Still not sure why adjusting the _default_
container or having them in the VirtualHost container in httpd.conf didn't work.
作为对该问题的明确答案,我使用了...
As a definitive answer to the question, I used...
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
通过我的ScanAlert扫描.我敢打赌,上面的其他大多数字符串也可以正常工作.
to pass my ScanAlert scan. I would bet that most of the other strings above would work as well.
这篇关于请提供将通过PCI合规性扫描的Apache SSLCipherSuite的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!