1

我通过我们的 apache 服务器的 ssl.conf 文件中的“SSLProtocol All -SSLv2 -SSLv3”为 apache 应用了 POODLE 修复,但是通过“SSLVerifyClient 要求”的 CAC 客户端身份验证存在问题。我已经确认如果我设置“SSLVerifyClient none”,我们的 Web 应用程序可以通过 https 访问并使用正确的 TLSv1 协议,但是一旦我设置了“SSLVerifyClient require”(这是必需的,因为我们的 Web 应用程序启用了 CAC)我得到一个页面不能在 IE 中显示(IE 禁用了 SSLv2 和 SSLv3)。我认为它正在 SSLVerifyClient 阶段重新协商到 SSLv3。任何人都知道如何在 Oracle HTTP Server (OHS) Apache 2.2.13 上解决这个问题?

这是我的 ssl.conf 文件的片段:

###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf        #
###################################################################


# OHS Listen Port
Listen 443

<IfModule ossl_module>
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
    SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
    SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
    <IfModule mpm_winnt_module>
      SSLMutex "none"
    </IfModule>
    <IfModule !mpm_winnt_module>
      SSLMutex pthread
    </IfModule>

##
## SSL Virtual Host Context
##
<VirtualHost *:443>
#    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
    DirectoryIndex remagnum.html
    ServerName TTSDS09083.TIMPO.OSD.MIL
#    ServerAlias www.dummy-host.example.com

  <IfModule ossl_module>

   #  SSL Engine Switch:
   #  Enable/Disable SSL for this virtual host.
   SSLEngine on

   #  SSL Cipher Suite:
   #  List the ciphers that the client is permitted to negotiate.
   #SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

   SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA

   SSLProtocol All -SSLv2 -SSLv3


   #  Client Authentication (Type):
   #  Client certificate verification type and depth.  Types are
   #  none, optional and require.
   #SSLVerifyClient none
   SSLVerifyClient require

   # SSL Certificate Revocation List Check
   # Valid values are On and Off
   SSLCRLCheck Off

   #Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars +ExportCertData

   </FilesMatch>

   <Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
      SSLOptions +StdEnvVars +ExportCertData

   </Directory>

   BrowserMatch ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0

  </IfModule>
</VirtualHost>

</IfModule>
4

1 回答 1

1

您是否尝试为已弃用的浏览器删除 BrowserMatch?

#BrowserMatch ".*MSIE.*" \
#   nokeepalive ssl-unclean-shutdown \
#   downgrade-1.0 force-response-1.0

以及来自 httpd.conf

#BrowserMatch "Mozilla/2" nokeepalive
#BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

参考: http: //blogs.msdn.com/b/ieinternals/archive/2011/03/26/https-and-connection-close-is-your-apache-modssl-server-configuration-set-to-slow。 aspx

于 2015-01-09T21:20:03.330 回答