How can I identify the cipher strength of an active https connection to a linux redhat apache webserver. I want to harden my web server by removing lower strength ciphers and would like to check if clients are even using them.
如何识别与linux redhat apache webserver的活动https连接的密码强度。我想通过删除低强度密码来强化我的Web服务器,并希望检查客户端是否使用它们。
EDIT My goal is to avoid negative impact of removal of a lower security cipher that a client relies on. Worst case scenario there is a stupid non browser (or old browser) app that is using an old insecure cipher, when I disallow the use of this cipher his/her app could break. I'm trying to proactively identify if there are any apps/browsers using any of the ciphers I'm going to disable.
编辑我的目标是避免删除客户端依赖的较低安全密码的负面影响。最糟糕的情况是有一个愚蠢的非浏览器(或旧浏览器)应用程序正在使用旧的不安全密码,当我不允许使用这个密码他/她的应用程序可能会破坏。我正在尝试主动识别是否有任何应用程序/浏览器使用我要禁用的任何密码。
2 个解决方案
#1
1
Your question and your goal aren't necessarily related. Each active connection may use a difference cipher based on the combination of: (a) the capabilities on the server (b) the capabilities of the client (c) cipher preference of the server and client. Looking at any individual connection will not tell you if your SSL configuration is optimal.
您的问题和目标不一定相关。每个活动连接可以使用基于以下组合的差分密码:(a)服务器上的能力(b)客户端的能力(c)服务器和客户端的密码偏好。查看任何单个连接都不会告诉您SSL配置是否最佳。
If your goal is to harden your SSL configuration, I suggest you use the SSL Server Test from SSL labs. It grades your server configuration based on known SSL vulnerabilities and best practices.
如果您的目标是强化SSL配置,我建议您使用SSL实验室的SSL服务器测试。它根据已知的SSL漏洞和最佳实践对您的服务器配置进行评级。
The last time I updated my SSL configuration I used the configuration tips from this blog post. Note that understanding of SSL vulnerabilities is constantly changing so I suggest you rerun the test every once in a while to ensure your configuration is the best that is currently known.
我最后一次更新SSL配置时使用了此博客文章中的配置提示。请注意,对SSL漏洞的理解不断变化,因此我建议您每隔一段时间重新运行一次测试,以确保您的配置是目前已知的最佳配置。
#2
0
You can identify unsuccessful handshakes by enabling the appropriate level of logging on mod_ssl. See the Custom Log Formats section on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, notably
您可以通过在mod_ssl上启用适当级别的日志记录来识别不成功的握手。请参阅http://httpd.apache.org/docs/2.2/mod/mod_ssl.html上的自定义日志格式部分,特别是
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
This should enable you to make a list of ciphers requested by clients and configure Apache accordingly.
这应该使您能够创建客户端请求的密码列表并相应地配置Apache。
#1
1
Your question and your goal aren't necessarily related. Each active connection may use a difference cipher based on the combination of: (a) the capabilities on the server (b) the capabilities of the client (c) cipher preference of the server and client. Looking at any individual connection will not tell you if your SSL configuration is optimal.
您的问题和目标不一定相关。每个活动连接可以使用基于以下组合的差分密码:(a)服务器上的能力(b)客户端的能力(c)服务器和客户端的密码偏好。查看任何单个连接都不会告诉您SSL配置是否最佳。
If your goal is to harden your SSL configuration, I suggest you use the SSL Server Test from SSL labs. It grades your server configuration based on known SSL vulnerabilities and best practices.
如果您的目标是强化SSL配置,我建议您使用SSL实验室的SSL服务器测试。它根据已知的SSL漏洞和最佳实践对您的服务器配置进行评级。
The last time I updated my SSL configuration I used the configuration tips from this blog post. Note that understanding of SSL vulnerabilities is constantly changing so I suggest you rerun the test every once in a while to ensure your configuration is the best that is currently known.
我最后一次更新SSL配置时使用了此博客文章中的配置提示。请注意,对SSL漏洞的理解不断变化,因此我建议您每隔一段时间重新运行一次测试,以确保您的配置是目前已知的最佳配置。
#2
0
You can identify unsuccessful handshakes by enabling the appropriate level of logging on mod_ssl. See the Custom Log Formats section on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, notably
您可以通过在mod_ssl上启用适当级别的日志记录来识别不成功的握手。请参阅http://httpd.apache.org/docs/2.2/mod/mod_ssl.html上的自定义日志格式部分,特别是
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
This should enable you to make a list of ciphers requested by clients and configure Apache accordingly.
这应该使您能够创建客户端请求的密码列表并相应地配置Apache。