openssl - POODLE SSLv3 漏洞仍然测试失败

Question

我在 Linux Plesk 12.0 服务器上运行我的网站。我已经阅读了几篇关于通过禁用 SSLv3 来修复 POODLE 漏洞的文章，并且我已按照以下文章中的所有说明在我的服务器上禁用它。

http://kb.sp.parallels.com/en/123160

问题是当我这样做时，我运行了文章中指定的测试，它说我禁用了 SSLv3。但是，当我对其中一个在线测试进行测试时，它失败了——我一直在https://www.ssllabs.com/ssltest/网站上对其进行测试。

有没有人知道为什么我所做的任何改变都没有产生影响以及为什么我仍然很脆弱？

注意：我还请了一家安全公司对此进行了调查，他们说我的一堆密码仍然容易受到攻击，这可能是原因。如果是这样，有人知道如何关闭它们吗？见下文：

[34mSupported Server Cipher(s):[0m
Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
Accepted  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
Failed    SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
Failed    SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
Failed    SSLv3  256 bits  SRP-AES-256-CBC-SHA
Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Accepted  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
Rejected  SSLv3  256 bits  AECDH-AES256-SHA
Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ADH-AES256-SHA256
Rejected  SSLv3  256 bits  ADH-AES256-SHA
Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
Failed    SSLv3  256 bits  ECDH-RSA-AES256-SHA384
Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
Failed    SSLv3  256 bits  AES256-GCM-SHA384
Failed    SSLv3  256 bits  AES256-SHA256
Accepted  SSLv3  256 bits  AES256-SHA
Accepted  SSLv3  256 bits  CAMELLIA256-SHA
Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
Accepted  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
Failed    SSLv3  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
Failed    SSLv3  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
Failed    SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA
Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ECDH-RSA-DES-CBC3-SHA
Rejected  SSLv3  168 bits  ECDH-ECDSA-DES-CBC3-SHA
Accepted  SSLv3  168 bits  DES-CBC3-SHA
Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
Accepted  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
Failed    SSLv3  128 bits  SRP-DSS-AES-128-CBC-SHA
Failed    SSLv3  128 bits  SRP-RSA-AES-128-CBC-SHA
Failed    SSLv3  128 bits  SRP-AES-128-CBC-SHA
Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA
Accepted  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
Rejected  SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
Rejected  SSLv3  128 bits  AECDH-AES128-SHA
Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ADH-AES128-SHA256
Rejected  SSLv3  128 bits  ADH-AES128-SHA
Rejected  SSLv3  128 bits  ADH-SEED-SHA
Rejected  SSLv3  128 bits  ADH-CAMELLIA128-SHA
Failed    SSLv3  128 bits  ECDH-RSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
Failed    SSLv3  128 bits  ECDH-RSA-AES128-SHA256
Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-SHA256
Rejected  SSLv3  128 bits  ECDH-RSA-AES128-SHA
Rejected  SSLv3  128 bits  ECDH-ECDSA-AES128-SHA
Failed    SSLv3  128 bits  AES128-GCM-SHA256
Failed    SSLv3  128 bits  AES128-SHA256
Accepted  SSLv3  128 bits  AES128-SHA
Rejected  SSLv3  128 bits  SEED-SHA
Accepted  SSLv3  128 bits  CAMELLIA128-SHA
Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
Rejected  SSLv3  128 bits  AECDH-RC4-SHA
Rejected  SSLv3  128 bits  ADH-RC4-MD5
Rejected  SSLv3  128 bits  ECDH-RSA-RC4-SHA
Rejected  SSLv3  128 bits  ECDH-ECDSA-RC4-SHA
Rejected  SSLv3  128 bits  RC4-SHA
Rejected  SSLv3  128 bits  RC4-MD5
Failed    SSLv3  128 bits  PSK-RC4-SHA
Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
Rejected  SSLv3  56 bits   DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
Rejected  SSLv3  40 bits   EXP-RC4-MD5
Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
Rejected  SSLv3  0 bits    AECDH-NULL-SHA
Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA
Failed    SSLv3  0 bits    NULL-SHA256
Rejected  SSLv3  0 bits    NULL-SHA
Rejected  SSLv3  0 bits    NULL-MD5

非常感谢！

score 3 · Accepted Answer

请使用以下方法：

设置 disablesslv3 参数：

mysql -uadmin -p cat /etc/psa/.psa.shadow-Dpsa -e "插入其他值('disablesslv3', 'true')"

重新生成配置：

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

检查结果：

cat /var/www/vhosts/system/*/conf/last_nginx.conf | grep ssl_protocols

openssl - POODLE SSLv3 漏洞仍然测试失败

1 回答 1

Related

Reference