1.openssl升级,这是必须的
2.在conf/httpd.conf里,增加配置:
# "Modern" configuration, defined by the Mozilla Foundation's SSL Configuration
# Generator as of August 2016. This tool is available at
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some
# require OpenSSL 1.1.0, which as of this writing was in pre-release.
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
并重启http server
3.验证漏洞是否已经修复的方式:
nmap -sV -p [端口] --script ssl-enum-ciphers [ip]
输出的结果里,不再包含DES等弱加密方式。
参考链接:
https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
禁用3DES和DES弱加密算法,保证SSL证书安全_就是洒家呀的博客-CSDN博客_apache服务器禁止使用des加密算法