Apache 關閉 SSL v2 的方式

  • OS : CentOS 4 (CentOS 5 預設就是關閉, 可以不用處理)
  • httpd-2.0.52-41.ent.6.centos4
  • mod_ssl-2.0.52-41.ent.6.centos4

重點只是在設定檔內增加 SSLProtocol all -SSLv2

vi /etc/httpd/conf.d/ssl.conf
:
#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLProtocol all -SSLv2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
:
service httpd restart
echo "HEAD / HTTP 1.0" | openssl s_client -ssl2 -connect localhost:443

正常應該要出現類似以下訊息

CONNECTED(00000003)
21125:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:
[root@eddev ~]#

如果出現類似以下訊息表示可支援 SSL v2

:
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: EEB8BC7BB76FF59A8AA046D531891D7B
    Session-ID-ctx:
    Master-Key: 9CDDA4BEB0E47E9087248343F0C335CE61CB762B4C77E6AF
    Key-Arg   : D0DCAB07A908DE66
    Krb5 Principal: None
    Start Time: 1265596203
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
DONE
  • tech/apache_sslv2.txt
  • 上一次變更: 2010/02/08 10:34
  • jonathan