Ntxiv dag zog SSL Cov Kev Pabcuam ntawm Koj Lub Web Server (Apache/ Linux): 3 Cov Kauj Ruam

2024 Tus sau: John Day | [email protected]. Kawg hloov kho: 2024-01-30 09:29

Nov yog cov lus qhia luv luv txhawj xeeb txog ib qho ntawm kev ruaj ntseg cyber - lub zog ntawm kev pabcuam ssl ntawm koj lub vev xaib. Cov keeb kwm yav dhau los yog ssl cov kev pabcuam ntawm koj lub vev xaib tau siv los xyuas kom tsis muaj leej twg tuaj yeem nyiag cov ntaub ntawv uas tau xa mus rau thiab los ntawm koj lub vev xaib. Muaj kev tshaj tawm zoo rau kev tawm tsam SSL cov kev pabcuam tsis zoo xws li Kab Mob Heartbleed hauv OpenSSL thiab Poodle kab uas tau siv SSL 3.0 qhov tsis zoo. (Cov cheeb tsam no yog lub hom phiaj txav mus yog li koj xav tau los tsim kev sim SSL rau hauv koj li ISO 27001 phiaj xwm-ua-kos-ua (PDCA) lub voj voog.)

Thaum ssl tau teeb tsa ntawm koj lub vev xaib siv daim ntawv pov thawj los ntawm tus muab kev lees paub, koj yuav pom tias koj lub vev xaib tuaj yeem nkag los ntawm https://yourdomain.com. Qhov no txhais tau tias cov ntaub ntawv raug xa rov qab thiab xa mus rau hauv hom ntawv encrypted. Hauv kev sib piv, https://yourdomain.com lossis tsis muaj zog encryption nthuav tawm cov ntaub ntawv hauv cov ntawv meej uas txhais tau tias txawm tias ib tus tub hluas nyiag nkas tuaj yeem nkag mus rau koj cov ntaub ntawv tus lej zais thiab lwm yam siv cov cuab yeej npaj tau xws li Wireshark.

Txog qhov seem ntawm qhov kev qhia no, kuv xav tias koj yuav siv Apache ua koj lub vev xaib ntawm Linux thiab koj tau nkag mus rau koj lub web server los ntawm lub davhlau ya nyob twg emulator xws li putty. Txhawm rau kom yooj yim, Kuv tseem yuav xav tias koj tus ISP tau muab koj daim ntawv pov thawj SSL thiab koj muaj peev xwm rov teeb tsa qee yam ntawm nws.

Kauj Ruam 1: Kuaj Lub Zog Ntawm Koj Li Kev Pabcuam SSL

Cias mus rau https://www.ssllabs.com/ssltest/ thiab sau koj lub npe nyob ib sab ntawm lub npov Hostname thiab xaiv qhov "Tsis txhob qhia qhov tshwm sim ntawm cov laug cam" lub thawv thiab nyem rau ntawm lub pob xa. (Thov nco ntsoov tias koj yuav tsum tsis txhob sim ib qho twg yam tsis tau kev tso cai ua ntej thiab koj yuav tsum tsis txhob qhia qhov tshwm sim ntawm cov laug cam.)

Tom qab qhov kev xeem tau ua tiav, koj yuav tau txais tus qhab nia ntawm F rau A+. Koj yuav tau txais cov ntawv xeem ntxaws uas cia siab tias yuav ua rau pom tseeb rau koj vim li cas koj thiaj li tau txais koj li qhab nias.

Qhov laj thawj ib txwm ua tsis tiav yog vim koj siv cov khoom siv tsis dhau hnub nyoog xws li ciphers lossis cov txheej txheem. Kuv yuav tsom mus rau ciphers sai tab sis ua ntej lo lus nrawm txog cov txheej txheem cryptographic.

Cov txheej txheem Cryptographic muab kev ruaj ntseg kev sib txuas lus hla lub computer network. … Qhov kev sib txuas yog ntiag tug (lossis muaj kev nyab xeeb) vim tias kev siv kab lus sib luag tau siv los zais cov ntaub ntawv xa mus. Ob txoj cai tseem ceeb yog TLS thiab SSL. Qhov tom kawg yog txwv tsis pub siv thiab nyob rau hauv, TLS tab tom hloov pauv thiab yog li kuv sau qhov no, qhov hloov tshiab kawg yog 1.3, txawm hais tias nyob hauv cov qauv txheej txheem. Hauv cov lus siv tau, zoo li thaum Lub Ib Hlis 2018, koj tsuas yog yuav tsum muaj TLS v 1.2. qhib Tej zaum yuav muaj kev txav mus rau TLV v 1.3. thaum xyoo 2018. Kev xeem Qualys yuav teev cov txheej txheem cryptographic uas koj tau thov thiab tam sim no, yog tias koj siv qis dua TLS v 1.2., Koj yuav tau txais cov qhab nia tsis zoo.

Ib qho kawg hais txog cov txheej txheem cryptographic, thaum koj yuav lub vev xaib pob thiab daim ntawv pov thawj SSL los ntawm ISP tseem ceeb xws li GoDaddy, nws yuav yog TLS v 1.2. uas yog qhov zoo tab sis txuas mus ntxiv kab, koj yuav pom nws nyuaj rau hloov kho hais TLS v 1.3. Tus kheej, Kuv nruab kuv tus kheej daim ntawv pov thawj SSL thiab yog li kuv thiaj li tswj hwm kuv tus kheej txoj hmoo, yog li tham.

Kauj Ruam 2: Rov kho dua Apache los hloov SSL

Ib ntawm thaj chaw tseem ceeb uas tau sim hauv Qualys SSL kev xeem thiab tsom mus rau ntu no yog Cipher suites uas txiav txim siab lub zog encryption ntawm koj cov ntaub ntawv xa mus. Nov yog qhov piv txwv tso tawm los ntawm Qualys SSL kuaj ntawm ib qho ntawm kuv tus thawj.

Cipher Suites # TLS 1.2 (suites nyob rau hauv neeg rau zaub mov-nyiam hais) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 khoom RSA) FS256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 khoom RSA) FS128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 khoom RSA) FS256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 khoom RSA) FS128

Koj yuav siv sijhawm ntau lub sijhawm rov teeb tsa koj li Apache teeb tsa kom tshem tawm kab liab (tsis ua tiav) los ntawm koj daim ntawv xeem Qualys tab sis kuv pom zoo kom ua raws li hauv qab no kom tau txais qhov zoo tshaj Cipher Suite teeb tsa.

1) Mus ntsib Apache lub vev xaib thiab nug lawv cov lus pom zoo rau Cipher Suite kom siv. Thaum lub sijhawm sau ntawv, kuv ua raws qhov txuas no -

2) Ntxiv qhov kev pom zoo teeb tsa rau koj li Apache teeb tsa cov ntaub ntawv thiab rov pib dua Apache. Nov yog lawv qhov chaw pom zoo uas kuv tau siv.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305: ECDHE-ECDSA-CCD-25 -AES128-GCM-SHA256: ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA384: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA256

Sau ntawv - Ib qho ntawm cov teeb meem yog txhawm rau nrhiav cov ntaub ntawv twg koj xav hloov koj li SSLCipherSuite cov lus qhia, Txhawm rau ua qhov no, nkag mus rau Putty thiab nkag mus rau lwm cov npe (sudo cd /etc) Saib rau phau ntawv teev npe apache2 xws li apache2 lossis http. Tom ntej no, tshawb nrhiav hauv phau ntawv teev npe apache raws li hauv qab no: grep -r "SSLCipherSuite" /etc /apache2 - Qhov no yuav muab rau koj cov zis zoo ib yam li qhov no:

/etc/apache2/mods-available/ssl.conf:#SSLCipherSuite HIGH: MEDIUM:! aNULL:! MD5:! RC4:! DES/etc/apache2/mods-available/ssl.conf: #SSLCipherSuite HIGH:! aNULL: MD5:! RC4:! DES /etc/apache2/mods-available/ssl.conf:#SSLCipherSuite ECDH+AESGCM: DH+AESGCM: ECDH+AES256: DH+AES256: ECDH+AES128: DH+AES: ECDH+3DES: DH+3DES: RSA+AESGCM: RSA+AES: RSA+3DES:! ANULL:! MD5:! DSS

Qhov tseem ceeb kom nco ntsoov yog cov ntaub ntawv /etc/apache2/mods-available/ssl.conf lossis ib qho twg yog koj li. Qhib cov ntaub ntawv siv tus kho xws li nano thiab mus rau ntu # SSL Cipher Suite: Tom ntej no hloov qhov nkag uas twb muaj lawm hauv cov lus qhia SSLCipherSuite nrog ib qho saum toj no los ntawm Apache lub vev xaib. Nco ntsoov tawm cov lus qub SSLCipherSuite cov lus qhia thiab rov pib dua Apache - hauv kuv qhov xwm txheej, kuv tau ua qhov no los ntawm kev sau sudo /etc/init.d/apache2 rov pib dua

Nco ntsoov tias qee zaum koj yuav xav tau tshem cov ciphers tshwj xeeb uas ua rau koj qis Qualys SSL cov qhab nia xeem (hais vim tias muaj qhov tsis zoo tshiab tau pom) txawm tias koj tau siv qhov kev pom zoo Apache teeb tsa. Ib qho piv txwv yog yog cov kab hauv qab no tshwm rau liab (tsis ua tiav) ntawm koj daim ntawv tshaj tawm Qualys TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Thawj kauj ruam yog txhawm rau nrhiav tus lej twg koj xav tau hloov hauv koj li Apache SSLCipherSuite qhia. Txhawm rau nrhiav tus lej, mus rau https://www.openssl.org/docs/man1.0.2/apps/ciphers…-qhov no qhia tus lej raws li hauv qab no: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384

Coj ECDHE-RSA-AES256-GCM-SHA384 thiab tshem nws tawm ntawm qhov nkag uas koj tau ntxiv raws li Apache Apache SSLCipherSuite cov lus qhia thiab tom qab ntawd ntxiv nws mus rau qhov kawg ua ntej nrog:!

Ib zaug ntxiv, rov pib dua Apache thiab rov sim dua

Kauj Ruam 3: Xaus

Kuv muaj qhov koj tau kawm qee yam txog kev sim SSL. Muaj ntau yam ntxiv los kawm txog qhov no tab sis cia siab tias, kuv tau taw qhia koj mus rau qhov yog. Hauv kuv cov lus qhia tom ntej, Kuv yuav npog lwm qhov ntawm Cyber Security yog li nyob twj ywm.