ВСЕГДА НОВОЙ В UBUNTU, извините, если это глупый вопрос.
Меня попросили прекратить поддерживать шифры TLS1.0. Погуглил и обнаружил, что добавление строки ниже в ssl.conf может удалить TLS1.0 из httpd:
SSLProtocol all -TLSv1
На kali linux есть «sslscan», который я использую для сканирования ip с портом 443 для перечислите поддерживаемые шифры по этому ip.
Теперь, перед удалением шифра TLS1.0, SSLSCAN работал должным образом и давал правильные результаты, как показано ниже:
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.0 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.0 112 bits DES-CBC3-SHA
Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 1024 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred Server Cipher(s):
TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
SSL Certificate:
"SSL Certificate details , I think is confidential to my organization so not sharing it"
После УДАЛЕНИЯ TLS1.0 ШИФРОВ SSLSCAN приведены ниже:
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.1 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.1 112 bits DES-CBC3-SHA
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve P-256 DHE 256
Accepted TLSv1.2 112 bits EDH-RSA-DES-CBC3-SHA DHE 2048 bits
Accepted TLSv1.2 112 bits DES-CBC3-SHA
Preferred Server Cipher(s):
TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Failed to connect to get certificate.
Почему после удаления шифров TLS1.0 sslscan не может подключиться для получения сертификатов? Я неправильно удаляю TLS1.0? Если да, как правильно отключить / удалить шифры TLS1.0? Или это нормально? Использует ли sslscan только TLS1.0 для сканирования ip с портом 443, который я отключил, т. Е. У него не получается получить сертификат?
Кроме того, дайте мне знать, если этот вопрос здесь не по теме, потому что я использую Кали для sslscan.