APACHE的SSL增强认证设置(BEAST),满足于PCI Compliance

公司作PCI Compliance时,涉及一系列安全改进。

我就SSL的BEAST攻击作了安全增强,只允许RC4级的安全认证协议,而非常规默认的CBC MODE。

~~~~~~~~~~

简介如下:

 

Approximately one year ago Juliano Rizzo and Thai Duong (the so-called BEASTie Boys) discovered a way to break SSL Encryption by mean of their BEAST attack (Browser Exploit Against SSL/TLS).

Their attack exploited a design flaw of the SSL/TLS 1.0 protocols (or better of the CBC cipher-suites, such as AES and 3DES), allowing to decrypt an encrypted conversation by sniffing the traffic and injecting a known pattern in the encryption channel. At that time the research had a considerable impact, given the wide usage of SSL/TLS in millions of websites providing secure online services.

As TLS 1.2 was not vulnerable, it was told, when possible, to migrate to this version of the protocol, but since its adoption is still far from being common, it was suggested, as Google did, to use a cipher not involving CBC mode, as for instance RC4.

After one year, at the Ekoparty Conference in Argentina, the two researchers are going to unveil a new attack against SSL/TLS dubbed CRIME. Few details are currently available: the two researchers are not revealing exactly which feature of SSL/TLS is responsible for the CRIME Attack (except that the specific feature used in this attack has not been a major subject of security research until now). In any case the new attack works much like the BEAST attack: once they have a man-in-the-middle position on a given network, they can sniff HTTPS traffic and launch the attack.

The bad news is that all versions of TLS (including 1.2) are vulnerable, and is not dependant on the cipher-suite adopted. Furthermore, according to the few information available, the exploits uses JavaScript code to make the attack faster, but in theory it could work also with static HTML, by loading JavaScript into the victim’s browser from a separate site.

The good news is that, although both Mozilla Firefox and Google Chrome are vulnerable to the attack. the browser vendors have developed patches for the issue that will be released in the next few weeks.

~~~~~~~~~~

设置很简单,就在APACHE的SSL模块设置里增加以下语句:

 

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH

参考文档:

 

http://httpd.apache.org/docs/current/ssl/ssl_howto.html

http://serverfault.com/questions/415112/fixing-beast-vulnerability-on-apache-2-0-running-on-rhel-4

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

时间: 2024-10-29 06:08:36

APACHE的SSL增强认证设置(BEAST),满足于PCI Compliance的相关文章

Apache、SSL、MySQL和PHP平滑无缝地安装_服务器

为了这个任务所需的工具是:  Apache-一个网站服务器  Mod_SSL-一个安全套接字层(SSL)的模块  OpenSSL-开放源代码工具箱(mod_ssl所需)  RSARef-仅对美国用户  MySQL-一个数据库服务器  PHP-一种脚本语言  "条条大路通罗马"--因此这只是很多能达到我们要求的配置之一.我选择这样的配置,是因为它是最简单和最快的一种.选择Mod_SSL/OpenSSL的原因是因为我有它的先前经验,是最快配置和最容易安装的一种.为了彼此方便地与Apache

Java实现SSL双向认证的方法_java

本文实例讲述了Java实现SSL双向认证的方法.分享给大家供大家参考,具体如下: 我们常见的SSL验证较多的只是验证我们的服务器是否是真实正确的,当然如果你访问的URL压根就错了,那谁也没有办法.这个就是所谓的SSL单向认证. 但是实际中,我们有可能还会验证客户端是否符合要求,也就是给我们每个用户颁发一个证书,比且每个数字证书都是唯一的,不公开的.这样就能通过这个数字证书保证当前访问我服务器的这个用户是经过服务器认可的,其他人不可访问. 双向认证 从第一个层面上 确保了服务器 与客户端 都是互相

weblogic ssl-weblogic SSL的认证问题

问题描述 weblogic SSL的认证问题 设置成Client Certs Not Requested时,浏览器https可以正常访问服务器应用:设置成Client Certs Requested But Not Enforced时,部分机子浏览器再访问服务器应用会报内部内部服务错误500,部分机子浏览器没报,后台日志Servlet failed with Excption java.lang.ArrayIndexOutOfBoundExcption:Array index out of ra

linux企业服务器配置方案:为Apache增加SSL安全保护

& 5.1 简介 Netscape公司提出的安全套接层(Secure Sockets Layer)的概念,简称SSL.顾名思义,这是一个建立在Socket层的安全协议,它屏蔽了高层协议如telnet.ftp.http的区别,把安全建立在了传输之上.目前该协议以被广泛采纳,它所定义的很多功能都成了下一代IP协议IPV6的一部分. & 5.2 所需资源 &1.2.1 所需包 1. Apache 1.3.19.tar.gz 下载网址: http://www.tux.org/pub/net

教您快速配置Apache+Tomcat+SSL

运行环境:Windows2003 Server SP4 + J2SDK1.5.0 + Apache2.0.54 + Tomcat5.5.9 准备软件: 1.安装 Apache 2.0.54 2.Tomcat 5.5.14 3.Jk2连接器(mod_jk2.so) 一.配置Apache和tomcat Apache安装在d:/Apache2 下,监听端口 80: Tomcat在D:/Tomcat51 下,监听端口 8080: 两者都以windows 2000服务进行安装. 将mod_jk2.so复制

缓存设置-基于Apache CXF的webservice如何设置缓存?

问题描述 基于Apache CXF的webservice如何设置缓存? 最近在用JAVA编写webservice,对性能有要求,打算先从缓存设置开始,如客户端发送请求后,服务端响应数据,如果客户端在短时间内再次发送同样的请求,则webservice不再查询数据库,而是直接从缓存中获取数据,如何能实现这一功能?

https-ActionScript3 SSL证书认证

问题描述 ActionScript3 SSL证书认证 一款APP游戏,APP客户端是AS3 编写的,服务端是TOMCAT+JAVA,通信协议Https.问题:APP关于https 证书,目前是对所有证书信任,存在安全风险.因此希望能够对证书做校验,比如通过证书的固定公钥进行匹配校验.但相关开发人员答复,AS3对Https证书认证做了封装,没办法自己实现上述功能.想确认此说法是否正确?有无解决方案?

ssl-Java SSL双向认证,证书访问控制问题

问题描述 Java SSL双向认证,证书访问控制问题 Java SSL双向认证,同一个根证书签发的不同证书,可不可以实现只让一个能访问,另一个不让访问?怎么实现?以下是我现在的配置: 客户端: 使用者: A证书 B证书 颁发者: |____RootCA |____RootCA 服务端: Server.jks,包含以下证书, 127.0.0.1证书 |____RootCA 我还需要做些什么? 求大神不吝赐教,小弟先谢过了! 解决方案 这个访问哪个是你自己控制的,比如服务端,你配置使用哪个证书,服务

ssl双向认证-关于C#实现SSL双向认证

问题描述 关于C#实现SSL双向认证 sslstream 里面怎么操作才能同时验证客户端和服务器呢 解决方案 Java实现 SSL双向认证SSL双向认证java实现ssl双向认证