我通过我们的 apache 服务器的 ssl.conf 文件中的“SSLProtocol All -SSLv2 -SSLv3”为 apache 应用了 POODLE 修复,但是通过“SSLVerifyClient 要求”的 CAC 客户端身份验证存在问题。我已经确认如果我设置“SSLVerifyClient none”,我们的 Web 应用程序可以通过 https 访问并使用正确的 TLSv1 协议,但是一旦我设置了“SSLVerifyClient require”(这是必需的,因为我们的 Web 应用程序启用了 CAC)我得到一个页面不能在 IE 中显示(IE 禁用了 SSLv2 和 SSLv3)。我认为它正在 SSLVerifyClient 阶段重新协商到 SSLv3。任何人都知道如何在 Oracle HTTP Server (OHS) Apache 2.2.13 上解决这个问题?
这是我的 ssl.conf 文件的片段:
###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf #
###################################################################
# OHS Listen Port
Listen 443
<IfModule ossl_module>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
<IfModule mpm_winnt_module>
SSLMutex "none"
</IfModule>
<IfModule !mpm_winnt_module>
SSLMutex pthread
</IfModule>
##
## SSL Virtual Host Context
##
<VirtualHost *:443>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
DirectoryIndex remagnum.html
ServerName TTSDS09083.TIMPO.OSD.MIL
# ServerAlias www.dummy-host.example.com
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
#SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA
SSLProtocol All -SSLv2 -SSLv3
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require.
#SSLVerifyClient none
SSLVerifyClient require
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off
#Path to the wallet
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>
<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>