![[PukiWiki]](image/logo_maroon.png "[PukiWiki]"){kind=logo}
(2015-09-03)
SSL/TLS絡みの追加設定とか、セキュリティ対策とか。
(2015-09-03)
何やら問題あるそうで。
とりあえず使えなくしてみた。
ただし、これは超簡易的にやってみたものですので、保証できません。
もっと細かく指定したい場合は、ググってくらはい(汗)。
修正ファイル:
/etc/apache2/mods-available/ssl.conf ([[管理人TK]]の環境では /usr/local/apache2/conf/mods-available/ssl.conf)
修正内容:
56c56 < SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 --- > SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
以下のコマンドでエラーになれば、うまく設定できた(RC4無効化)ということになるかと。
$ curl -v --ciphers ECDHE-RSA-RC4-SHA https://tls.angelcurio.com/ または $ curl -v --ciphers RC4 https://tls.angelcurio.com/
RC4を無効にできた場合。
* About to connect() to tls.angelcurio.com port 443 (#0) * Trying 192.168.1.20... * connected * Connected to tls.angelcurio.com (192.168.1.20) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS alert, Server hello (2): * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure * Closing connection #0 curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ご参考:RC4が有効な場合。
* About to connect() to tls.angelcurio.com port 443 (#0) * Trying 192.168.1.20... * connected * Connected to tls.angelcurio.com (192.168.1.20) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-RC4-SHA * Server certificate: * subject: OU=Domain Control Validated; OU=CoreSSL DV; CN=tls.angelcurio.com * start date: 2015-07-15 00:00:00 GMT * expire date: 2016-07-14 23:59:59 GMT * subjectAltName: tls.angelcurio.com matched * issuer: C=JP; ST=OSAKA; L=OSAKA; O=SecureCore; CN=SecureCore RSA DV CA * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.26.0 > Host: tls.angelcurio.com > Accept: */* > * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Date: Thu, 03 Sep 2015 00:56:09 GMT < Server: Apache/2 < Last-Modified: Fri, 24 Jul 2015 05:36:25 GMT < ETag: "164b25-29-51b98628af0f2" < Accept-Ranges: bytes < Content-Length: 41 < Vary: Accept-Encoding < Content-Type: text/html < <html> <body> :-) ほげ </body> </html> * Connection #0 to host tls.angelcurio.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1):
