SSL Version 3 and 2 and TLS Version 1.1 and TLS Version 1.0 Protocol Detection

最新推荐文章于 2025-03-21 16:07:26 发布
最新推荐文章于 2025-03-21 16:07:26 发布
阅读量8.6k 收藏 7
点赞数 1
文章标签: windows ssl 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_40133285/article/details/124425466
版权

SSL Version 2 and 3 Protocol Detection and TLS Version 1.1 Protocol Deprecated and TLS Version 1.0 Protocol Detection

操作系统版本:Windows Server 2012 R2

前言:若原有使用TLS1.2版本,则注册表修改后即可生效,若原有未使用TLS1.2版本但封禁了可使用的SSL/TLS版本,则会导致SSL/TLS连接无法建立,重启后方生效。

SSL Version 2 and 3 Protocol Detection

Description
The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws, including:

-An insecure padding scheme with CBC ciphers.
-Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so that these versions will be used only if the client or server support nothing better), many web browsers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE). Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC’s definition of ‘strong cryptography’.

Solution
Consult the application’s documentation to disable SSL 2.0 and 3.0.
Use TLS 1.2 (with approved cipher suites) or higher instead.

See Also
https://www.schneier.com/academic/paperfiles/paper-ssl.pdf
http://www.nessus.org/u?b06c7e95
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70
https://www.imperialviolet.org/2014/10/14/poodle.html
https://tools.ietf.org/html/rfc7507
https://tools.ietf.org/html/rfc7568

Output

- SSLv3 is enabled and the server supports at least one cipher.
Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name                          Code             KEX           Auth     Encryption             MAC
----------------------        ----------       ---           ----     ---------------------  ---
EDH-DSS-DES-CBC3-SHA                           DH            DSS      3DES-CBC(168)          SHA1

High Strength Ciphers (>= 112-bit key)

Name                          Code             KEX           Auth     Encryption             MAC
----------------------        ----------       ---           ----     ---------------------  ---
DHE-DSS-AES128-SHA                             DH            DSS      AES-CBC(128)           SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

Risk Information
Risk Factor: Critical
CVSS v3.0 Base Score 9.8
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Base Score: 10.0
CVSS v2.0 Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

解释说明

启用了SSL 3.0、SSL 2.0,需要在启用TLSv1.2或TLSv1.3情况下,禁用SSL 3.2、SSL 2.0,当然了,需要启用和禁用的SSL/TLS版本随时间变化。

TLS Version 1.1 Protocol Deprecated

Description
The remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1

As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.

Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

See Also
https://datatracker.ietf.org/doc/html/rfc8996
http://www.nessus.org/u?c8ae820d

Output

TLSv1.1 is enabled and the server supports at least one cipher.

解释说明

启用了TLSv1.1,需要在启用TLSv1.2或TLSv1.3情况下,禁用TLSv1.1,当然了,需要启用和禁用的SSL/TLS版本随时间变化。

TLS Version 1.0 Protocol Detection

Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.

Solution
Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

See Also
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Output

TLSv1 is enabled and the server supports at least one cipher.

Risk Information

Risk Factor: Medium
CVSS v3.0 Base Score 6.5
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS v2.0 Base Score: 6.1
CVSS v2.0 Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N

Vulnerability Information

Asset Inventory: True

解释说明

启用了TLSv1,需要在启用TLSv1.2或TLSv1.3情况下,禁用TLSv1,当然了,需要启用和禁用的SSL/TLS版本随时间变化。

操作步骤

启用和禁用相应版本SSL/TLS

通过Windows+R打开运行或在Windows Terminal、Windows PowerShell中打开注册表

regedit

添加注册表项,若不存在TLS 1.1、Server等项均可创建

路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
名称: Enabled
类型: REG_DWORD
值:1

路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
名称: Enabled
类型: REG_DWORD
值:1

路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
名称: Enabled
类型: REG_DWORD
值:0

路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
名称: Enabled
类型: REG_DWORD
值:0

路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
名称: Enabled
类型: REG_DWORD
值:0

路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
名称: Enabled
类型: REG_DWORD
值:0

在这里插入图片描述

验证

因SSL/TLS连接为客户端/服务端协商建立,可通过nmap或Nessus再次扫描验证是否未出现TLS Version 1.0 Protocol Detection、TLS Version 1.1 Protocol Deprecated

参考文档:
https://docs.citrix.com/zh-cn/provisioning/current-release/advanced-concepts/limit-sql-secure-connections.html

网络_第六篇:SSL/TLS基础知识
毛毛的专栏
05-10 4778
一、SSL/TLS介绍 什么是SSL,什么是TLS呢?官话说SSL是安全套接层(secure sockets layer),TLSSSL的继任者,叫传输层安全(transport layer security)。说白点,就是在明文的上层和TCP层之间加上一层加密,这样就保证上层信息传输的安全。如HTTP协议是明文传输,加上SSL层之后,就有了雅称HTTPS。它存在的唯一目的就是保证上层通讯安全的一套机制。它的发展依次经历了下面几个时期,像手机软件升级一样,每次更新都添加或去除功能,比如引进新的加密算法,修
Windows漏洞修复-SSL Medium Strength Cipher Suites Supporte(SWEET32)
qq_37802488的博客
02-18 1671
在当今的网络环境下,这种中等强度的加密已经不足以抵御强大的攻击手段。虽然在现代的实现中,部分问题得到了一定程度的缓解,但相比 TLS 1.2TLS 1.3 等新版本,它在安全性和性能方面都存在明显的不足。现场用Nessus扫描发现了Windows 3389远程端口存在三个漏洞,分别是TLS 1.0检测、中等严重性的TLS 1.1已弃用协议,以及SSL中强度密码套件支持的问题(SWEET32漏洞)启用SSL密码加密套件顺序,修改ssl密码加密套件,删除原有的所有密码套件,然后添加以下高强度的密码套件。
rfc2246.The_TLS_Protocol_Version_1.0
01-12
rfc2246.The_TLS_Protocol_Version_1.0 TLS SSL协议 RFC文档
TLS Version 1.0 Protocol Detection 漏洞修复
小小关的博客
08-26 3213
用nessus 扫描服务器发现如下漏洞,端口服务是nginx提供:漏洞修复:配置nginx server 下添加如下内容:
启用 TLS 1.2 和/或 1.3 支持,禁用 TLS 1.1 支持。
weixin_45777354的博客
03-21 393
Windows2016漏扫出问题,需要禁用TLS 1.1以下的版本,我用一个软件IISCrypto.exe修改的,网上有很多方法,但是这个是最方便快捷的,生产测试可用。
SSL Version 2 and 3 Protocol Detection漏洞修复
weixin_45504270的博客
12-18 689
IIS Crypto 是一个免费工具,使管理员能够在 Windows Server 2008,20122016 和 2019 上启用或禁用协议,密码,哈希和密钥交换算法。它还允许您重新排序 IIS 提供的 SSL / TLS 密码套件,更改高级设置,只需单击即可实施最佳实践,创建自定义模板并测试您的网站。IIS Crypto 工具网址:https://www.nartac.com/Products/IISCrypto/使用这个工具,设置简单方便,功能也多,懒人必备啊。使用 IIS Crypto 工具。
Windows服務器&Nginx&Apache禁用TLSv1.0
par@ish的博客
05-09 6093
传输层安全协议(Transport Layer Security,TLS):TLS标准由互联网工程任务组(IETF)TLS工作组制定和维护。TLS在TCP/IP协议栈上运行,用于保护web流量(使用HTTPS)、文件传输、电子邮件传输和许多其他应用程序。 最为熟悉的TLS使用场景是用于保护通过超文本传输协议(HTTP)传输的web流量。在HTTPS中,建立SSL/TLS连接(通常在TCP端口443上,与不安全网站的端口80不同),然后HTTP数据通过安全连接传输。 TLS还可用于保护电子邮件传输协议(IMA
SSLScan:SSL版本检测与密码套件
xiaoWhite_meng的博客
07-13 1万+
2017-09-22 10:12 来源:黑白之道 AR 原标题:SSLScan:SSL版本检测与密码套件项目主页https://github.com/rbsec/sslscan简介sslscan是一个高效的Ç程序,它允许你检测SSL版本和加密套件(包...
Tomcat配置SSL指导
11-16
ciphers="SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_...
SSL/TLS 双向认证(二) -- 基于mosquittto的MQTT双向认证
热门推荐
ustccw
08-08 1万+
MQTT双向认证
TLS 1.0协议
weixin_30807779的博客
03-08 2242
TLS1.0 协议发布于1999年初。该协议可在Internet中提供给通信双方一条私有信道,即对通信消息进行加密。该协议主要描述了通信密钥协商的方法与通信格式的定义。分别由TLS Handshake ProtocolTLS Record Protocol两个子协议进行描述。虽然TLS1.0已经退出了历史舞台,但其最初的TLS设计核心过程并无太大变化。因此有助于理解TLS协议的执行过程。 T...
ssl漏洞检查
05-24
SSL漏洞 使用工具testssl.sh 服务 ssl 测试单个主机上的所有内容并输出到控制台 ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST 测试单个主机上的所有内容并输出到HTML ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U TARGET-HOST | aha> OUTPUT-FILE.html 测试子网上的所有主机并输出到HTML ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U 192.168.1.0/24 | aha> OUTPUT-FILE.html 与上述相同,但只列举每个服务器支持的密码类型: ./testssl.sh -E 192.168.1.0/24 | aha> OUTPUT-FILE.html Ssl证书过期 查看证书过期时间 SWEET32(CVE-2016-2183./testssl.sh --ciphers TARGET DROWN(CVE-2016-0800./testssl.sh -D TARGET FREAK(CVE-2015-0204) ./testssl -F TARGET Logjam(CVE-2015-4000./testssl.sh -J TARGET Heartbleed(CVE-2014-0160./testssl.sh -B 10.0.1.159 POODLE SSLv3(CVE-2014-3566) ./testssl.sh -O 10.0.1.159 CCS注入漏洞(CVE-2014-0224) ./testssl.sh -I TARGET POODLE TLS(CVE-2014-8730./testssl.sh -O 10.0.1.159 BREACH(CVE-2013-3587) ./testssl.sh -T TARGET RC4 CVE-2013-2566 ./testssl.sh -E TARGET Renegotiation(CVE-2009-3555) ./testssl.sh -R 10.0.1.159
宝塔禁用TLS1.0或者1.1
qq_39517116的博客
07-22 6353
禁用TLS1.0的原因是需要修复漏洞TLS Version 1.0 Protocol Detection 漏洞名称:TLS Version 1.0 Protocol Detection TLS版本1.0协议检测 漏洞描述:远程服务接受使用TLS 1.0加密的连接。TLS 1.0存在加密设计缺陷。更新版本的TLS(如1.11.2)是针对这些缺陷而设计的,应尽可能使用。PCI DSS v3.2要求在2018年6月30日之后完全禁用TLS 1.0,但POS POI终端(以及它们连接的SSL / TLS..
放弃使用sslv2,sslv3协议,请使用tlsv1.2tlsv1.1版本
学海无涯
03-07 1万+
推荐一个网站测试自己网站的https的安全性: https://myssl.com。比如测试下面的网站如下: 评级只有5,myssl给的理由为:服务器易受到POODLE漏洞攻击,降级为5。POODLE漏洞为使用了不安全的sslv2sslv3协议导致, 将协议去掉了,评级还是为5。后面测试原来是由于该服务器的其他站点仍支持sslv2sslv3导致。于是去掉sslv2sslv3协议的支持后: ...
It was possible to detect the usage of the deprecated TLSv1.0 and/or TLSv1.1 protocol on this system
程序员大佬超的博客
12-13 1425
禁用已弃用的TLSv1.0和/或TLSv1.1协议,以支持TLSv1.2+协议。
# HTTP2, HTTP3SSL/TLS:网络协议简单了解
weixin_54104864的博客
08-08 1073
在现代web开发中,了解HTTP协议的最新版本以及它们与SSL/TLS的关系至关重要。本文将深入探讨HTTP2、HTTP3以及它们与SSL/TLS的交互,帮助您理解这些技术的异同及其对web性能的影响。
Golang中TLS版本设置
遇见你是我最美丽的意外
01-22 4104
Golang中TLS版本设置 文章目录Golang中TLS版本设置1. Go源码中的TLS2. https服务端修改TLS支持版本3. 抓包验证 1. Go源码中的TLS 最近在看Go源码中的http框架和tls实现框架实现,go中的TLS实现了TLS1.0, TLS1.1, TLS1.2, TLS1.3 四个版本,还有SSL3.0版本, 不过代码中已经明确说明不再支持SSL3.0版本。 const ( VersionTLS10 = 0x0301 VersionTLS11 = 0x0302 Ver
SSL/TLS协议漏洞 影响TLS协议1.0SSL所有版本
weixin_33862041的博客
09-24 3056
9月21日布宜诺斯艾利斯举行的Ekoparty安全会议上,安全研究人员Thai Duong和Juliano Rizzo将演示针对SSL/TLS的概念验证攻击。 研究人员在SSL/TLS协议中发现了严重弱点,能让黑客悄悄破译Web服务器和终端用户浏览器之间传输的加密数据。 弱点主要影响TLS协议1.0版及SSL所有版本,TLS 1.1/1.2未受影响。TLSSSL的继任者,TLS 1.0相当于...
SSL V3.0协议(一)
CR7的专栏
12-16 4229
翻译自RFC6101 第五节 SSL协议 SSL是一个分层的协议,每层封包可能包括了长度、描述以及内容字段。SSL接受要传输的信息,并将这些信息(或者其压缩的结果,这是可选的)分片为可管理的块,然后添加MAC(message authenticate code,信息认证码)并加密,最后把封装好的信息传输出去。接收数据是通过解密、身份认证、解压缩、重组最后把结果丢给更高层客户端进一步处理
oracle hostkey
最新发布
04-03
### Oracle Database Host Key Configuration and Error Solutions The `ORACLE_HOME` environment variable is a critical component of the Oracle Database installation process, as it specifies the directory where the Oracle software resides. In this case, the ORACLE_HOME has been set to `/u01/app/oracle/product/10.2.0/db_1`[^1]. The concept of a **Host Key** in an Oracle context typically refers to configurations related to network security or specific settings that identify hosts within the Oracle ecosystem. #### Understanding Host Key Configurations In some cases, particularly when dealing with Oracle Net Services (formerly known as SQL*Net), there may be references to host keys for secure communication between clients and servers. These are often managed through files such as: - **tnsnames.ora**: This file contains definitions for net service names used by client applications. - **sqlnet.ora**: This file includes parameters controlling how connections are established and secured, including encryption methods and authentication mechanisms. For example, if you want to configure advanced security options like SSL/TLS using certificates, the following parameter might appear in your sqlnet.ora file: ```plaintext SQLNET.AUTHENTICATION_SERVICES= (TCPS) SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /path/to/wallet/directory))) ``` This setup ensures only authenticated users from trusted hosts can access the database server based on certificate validation rules defined inside wallets located at specified directories[^2]. #### Common Errors Related to Host Keys One common issue involves mismatched versions of libraries required during runtime due to incorrect paths being referenced under different environments after upgrading systems without adjusting all necessary variables accordingly. For instance, attempting to start up services while having outdated binaries linked could result in errors similar to these messages below but not limited strictly speaking about &#39;hostkeys&#39;: - "ORA-28759: failure to open file" - "TNS-12541: No listener" To resolve potential issues arising out of misconfigurations around networking components involving hostname resolution attempts made either locally via loopback addresses (`localhost`) versus external fully qualified domain names(FQDNs): 1. Verify contents listed both under `$ORACLE_HOME/network/admin/listener.ora` alongside any customizations applied towards global naming conventions applicable across multiple instances running simultaneously side-by-side sharing same physical hardware resources yet logically separated per application requirements; Example Listener Entry: ```plaintext LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = myhostname.example.com)(PORT = 1521)) ) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = testdb.mydomain) (ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1) (SID_NAME = TESTDB) ) ) ``` 2. Confirm proper functioning DNS lookups performed consistently regardless location accessed whether internally behind firewalls protected corporate intranets compared against public internet exposed endpoints requiring additional layers protection implemented correctly throughout entire architecture stack involved serving requests end-users ultimately consume interacting directly databases themselves indirectly web portals acting intermediaries front-ending raw data stores underneath powering business logic operations daily basis enterprise scale deployments worldwide today modern age digital transformation initiatives driving competitive advantage organizations seek achieve sustainable growth long term success marketspace ever evolving rapidly changing landscape technology innovation continues accelerate unprecedented rates seen previous decades combined together single generation lifetime experience witnessed firsthand participants actively contributing field computer science information management overall discipline encompassing vast array subfields specialties ranging artificial intelligence machine learning deep neural networks natural language processing robotics automation control theory optimization algorithms combinatorial mathematics graph theory probability statistics signal processing image recognition speech synthesis virtual reality augmented reality mixed reality extended reality spatial computing quantum computing blockchain distributed ledger technologies edge computing fog computing cloud native architectures microservices containerization orchestration continuous integration delivery deployment pipelines DevOps SRE practices agile methodologies lean startup principles design thinking human centered approaches user experience research usability testing accessibility standards compliance regulations governance risk mitigation cybersecurity privacy preservation ethical considerations societal impacts environmental sustainability green IT energy efficiency carbon footprint reduction circular economy resource conservation waste minimization recycling reuse repurposing second life extension product lifecycle management supply chain logistics inventory tracking asset maintenance predictive analytics condition monitoring fault detection isolation recovery resilience fault tolerance high availability disaster recovery backup restoration archival retention policies version control branching merging conflict resolution collaboration coordination teamwork leadership mentorship coaching professional development career advancement lifelong learning knowledge transfer intellectual property rights patents trademarks copyrights trade secrets confidentiality agreements non-disclosure obligations contractual commitments legal frameworks regulatory frameworks policy frameworks framework frameworks frameworks... ---
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值