因為 3DES 加密沒有關閉,導致了這個問題,以下是檢測報告的資料。
Insecure Transport: Weak SSL Cipher ( 11285 )
Summary
WebInspect has detected support for weak TLS/SSL ciphers on server https://xxx.xxx.xx:443/ .
The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a mechanism to help protect authenticity, confidentiality and integrity of the data transmitted between a client and web server. The strength of this protection mechanism is determined by the authentication, encryption and hashing algorithms, collectively known as a cipher suite, chosen for the transmission of sensitive information over the TLS/SSL channel. Most Web servers support a range of such cipher suites of varying strengths. Using a weak cipher or an encryption key of insufficient length, for example, could allow an attacker to defeat the protection mechanism and steal or modify sensitive information.
If misconfigured, a web server could be manipulated into choosing weak cipher suites. Recommendations include updating the web server configuration to always choose the strongest ciphers for encryption.
檢查工具
想要檢查 Cipher 的工具很多,也有許多線上網站提供線上檢測,以下列出幾種工具:
線上網站
Qualys Labs 的 免費檢測工具,選擇 Test your server ,然後輸入網域名稱,以下使用 google 當作範例
- 輸入網域名稱
- 檢測結果
Nmap
Nmap 是個指令列檢測工具,在 windows 上的安裝方式也挺容易的,檢查憑證與弱加密方式的測試指令如下:
1 | nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.google.com |
OWASP 的Testing for Weak SSL/TLS Ciphers介紹了更多種檢測方式
IIS Crypto
此章針對 IIS ,而 IIS 要調整加密方式,有些需要調整 Registry 登錄檔,所以 IIS Crypto 此工具不僅可以查看,還可以快速調整,是相當便利的工具
注意修改後,需要重新開機,不然調整的設定不會立即啟用。