Tomcat6/7应用服务器-禁用RC4等弱密码套件

时间:2022-04-29
本文章向大家介绍Tomcat6/7应用服务器-禁用RC4等弱密码套件,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

最近更新了新版浏览器的同学是不是偶尔会遇到SSL加密协议不灵,访问不了的情况? 最典型的例子是使用FF39+访问某些网站时报错:Error code: ssl_error_weak_server_ephemeral_dh_key

或者使用IBMAppScan扫描会出现类似“检测到 RC4 密码套件”的中危漏洞。(注意不同版本的AppScan检测机制可能不同)

加固方法: 1、首先你要确保你的密钥(证书)加密长度>1023bit,因为<1023bit FF会认为不安全。自签名证书的,自己去看看怎么把key size设置为1024或大于1024。如果是CA机构签名的,就需要去CA机构申请重新签名更换证书。

2、服务器SSL设置中,要disable DHE cipher suites,要disable TLSv2 TLSv3,启用TLSv1,TLSv1.1,TLSv1.2。

3、密码套件根据Tomcat应用服务器和jdk使用。(修改confserver.xml文件配置) 3.1)如:Tomcat 6或7 + jdk6 的密码套件配置示例:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 sslEnabledpotocols="TLSv1,TLSv1.1,TLSv1.2"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" keystoreFile="D:backupmyssl.jks" keystorePass="myPassword"  
               sslProtocol="TLS"      ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
            />

关键节点:sslEnabledpotocols、 sslProtocol

3.2)如:Tomcat 7+ jdk7 的密码套件配置示例: 请参考:https://support.comodo.com/index.php?/Knowledgebase/Article/View/659

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 sslEnabledpotocols="TLSv1,TLSv1.1,TLSv1.2"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" keystoreFile="D:backupmyssl.jks" keystorePass="myPassword"  
               sslProtocol="TLS"                         ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
            />

随机文章
本站知识点必读
最近更新