如何启用Apache的完美向前保密在默认情况下? [英] How do I enable perfect forward secrecy by default on Apache?
问题描述
在最近发生的事件之后,我一直在重新考虑我的Apache设置。目前,我的Apache站点配置看起来是这样的:
In the wake of recent events, I have been reconsidering my Apache setup. Currently, my apache site config looks something like this:
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName mydomain.com
ServerAlias www.mydomain.com
Redirect permanent / https://mydomain.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName mydomain.com
DocumentRoot /var/www-wordpress
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www-wordpress>
Options Indexes FollowSymLinks MultiViews
AllowOverride FileInfo
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLCertificateFile /etc/ssl/certs/mydomain.com.crt
SSLCertificateKeyFile /etc/ssl/private/mydomain.com.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
我有什么做支撑完美向前保密?我怎样才能默认启用SSL完全向前保密?我怎么能执行呢?
What do I have to do to support perfect forward secrecy? How can I enable SSL perfect forward secrecy by default? How could I enforce it?
推荐答案
如何
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
请注意添加了-SSLv3标志禁用SSLv3的。这是添加,以防止贵宾犬攻击。
Note the addition of the -SSLv3 flag to disable SSLv3. This is added to protect against the POODLE attack.
这将preFER完美向前保密,但不能被容易受到攻击BEAST牺牲。因为Apache没有一种方法来配置基于协议版本密码preference,我参照仅在较新的协议,可用的密码捏造事实。具体来说,AES是仅适用于SHA1散列直到TLSv1.2工作。因此,名单开始的是TLSv1.2工作短暂的Diffie-Hellman密码,然后RC4(先用短暂的DH,然后在没有),最后一个BEAST脆弱的AES选项。不排除任何认证/弱加密/弱结尾散列仅仅是良好的卫生习惯,并因为没有这样的密码进行了介绍可以省略。如果性能是一个问题,只使用EECDH并省略EDH。
This will prefer perfect forward secrecy, but not at the expense of being vulnerable to the BEAST attack. Since Apache lacks a way to configure cipher preference based on protocol version, I fake it by referring to ciphers only available in the newer protocols. Specifically, AES was only available with SHA1 hashing until TLSv1.2. Thus the list starts with the TLSv1.2 ephemeral Diffie-Hellman ciphers, then RC4 (first with ephemeral DH, then without), and finally a BEAST-vulnerable AES option. Excluding no auth / weak encryption / weak hashing at the end is just for good hygiene and could be omitted since no such ciphers were introduced. If performance is a concern, use EECDH only and omit EDH.
在使用Apache 2.2的组合(因此没有EECDH为@Bruno说的),每<一个href=\"https://www.ssllabs.com/ssltest/analyze.html\">https://www.ssllabs.com/ssltest/analyze.html,这就达到了PFS只有iOS的Safari浏览器。 IE和Firefox是TLSv1.0使他们获得RC4避免野兽。 (唉,有没有这样的东西EDH RC4,所以没有EECDH,你放弃了PFS)。这一点,我相信,最好的可能希望与在Apache 2.2的浏览器。 Chrome是服务差的唯一的一个,因为它支持TLSv1.1,并可以使用EDH AES而不容易受到野兽。相反,它得到RC4,RSA像Firefox和IE浏览器。 Apache的升级,使EECDH RC4应该得到PFS为Firefox,IE和Chrome。
In combination with Apache 2.2 (thus no EECDH as @Bruno says), per https://www.ssllabs.com/ssltest/analyze.html, this achieves PFS for iOS Safari only. IE and Firefox are TLSv1.0 so they get RC4 to avoid BEAST. (Alas, there is no such thing as EDH RC4, so without EECDH, you give up PFS). This is, I believe, the best one could hope for with those browsers on Apache 2.2. Chrome is the only one poorly served, since it supports TLSv1.1 and could use EDH AES without being vulnerable to BEAST. Instead, it gets RC4-RSA like Firefox and IE. Upgrading Apache to enable EECDH RC4 should get PFS for Firefox, IE, and Chrome.
更新2013年11月9日:
我已经找到了网络上的几个备选建议。他们把不太重视保护BEAST(也许是明智的;兽大多是减轻客户端的即时),并更加注重完善前保密。在不同程度上他们也有较强的preferences的GCM和更大不愿接受RC4。
I've found a few alternate recommendations around the web. They put less emphasis on BEAST protection (perhaps wise; BEAST is mostly mitigated client-side now) and more emphasis on perfect forward secrecy. To varying degrees they also have stronger preferences for GCM and greater reluctance to accept RC4.
特别值得注意的是,我认为,提出如下建议:
Of particular note are, I think, the following recommendations:
- Mozilla的OPSEC
- Ivan Ristic的(Qualys公司的)
- Geoffroy Gramaize
- Mozilla OpSec
- Ivan Ristic (of Qualys)
- Geoffroy Gramaize
就个人而言,我会去与Mozilla的OPSEC的。他们的理由是其网页上很好的解释。值得注意的是,他们preFER AES128了AES256。用他们的话说: [AES128]提供了良好的安全性,实在是快,似乎是计时攻击更耐的。
Personally, I'm going to go with Mozilla OpSec's. Their reasoning is well explained on their page. Of note, they prefer AES128 over AES256. In their words: "[AES128] provides good security, is really fast, and seems to be more resistant to timing attacks."
在值得注意的伊万Ristic的年代和若弗鲁瓦Gramaize的建议是,在SSLv3被禁用。我认为这大多只是打破了IE6,尽管SSLv3和TLS 1.0版之间的一些与安全相关的差异维基百科提及。
Noteworthy in Ivan Ristic's and Geoffroy Gramaize's recommendation is that SSLv3 is disabled. I think this mostly just breaks IE6, though some security related differences between SSLv3 and TLS v1.0 are mentioned on Wikipedia.
另外之前,我没有谈<一个href=\"https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls\">CRIME和违反。为了防止犯罪,禁用SSL COM pression。这包括在链接的例子。为了免受违约,你需要在HTTP级别禁用COM pression。对于Apache 2.4,只需做一次全球性:
Also before I didn't talk about CRIME and BREACH. To protect against CRIME, disable SSL compression. This is included in the examples linked. To protected against BREACH, you need to disable compression at the HTTP level. For Apache 2.4, just do this once globally:
<Location />
SetEnvIfExpr "%{HTTPS} == 'on'" no-gzip
</Location>
对于旧版本的Apache,把这个在每一个虚拟主机,其中的SSLEngine是:
For older versions of Apache, place this in each VirtualHost where SSLEngine is on:
<Location />
SetEnv no-gzip
</Location>
更新2014年10月14日:
Mozilla的OPSEC导现在被分成了老/中间/现代兼容建议。从中间或现代的设置,您最终的SSLv3禁用。这将防止狮子狗攻击。
Update 2014-10-14: The Mozilla OpSec guide is now split into recommendations for old/intermediate/modern compatibility. With the settings from intermediate or modern, you end up with SSLv3 disabled. That will protect against the POODLE attack.
这篇关于如何启用Apache的完美向前保密在默认情况下?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
