CONTENT
- CHANGES
Szukaj
#top Przydatne informacje¶
- Przydatne informacje
- Timeout
- Load Balancing with HAProxy
- TLS SNI
- SNI config
- SNI check
- Protocol Secure
- Remove Service Version Information
- Add HTTP Response Headers Security
- TLS Secure
- Disable SSLv2/SSLv3 Protocols
- Disable weak Cipher Suites
- Disable RC4 CipherSuite
- Disable Anonymous CipherSuite
- Disable SSL Compression
- Set custom DH parameters
- Avoid certificates with Signature Algorithm: SHA1
#top Timeout¶
Zobacz także Timeout dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Timeout dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także Timeout dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję Timeout)
#top Load Balancing with HAProxy¶
Zobacz także Load Balancing with HAProxy dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Load Balancing with HAProxy dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także Load Balancing with HAProxy dla: pgpool | PostgreSQL | MySQL | Firebird
Niedotyczy! Niniejsza konfiguracja dotyczy serwerów obsługujących protokół HTTP.
Dla pozostałych protokołów HAProxy oferuje równoważenie ruchu w trybie TCP.
Dla pozostałych protokołów HAProxy oferuje równoważenie ruchu w trybie TCP.
#top TLS SNI¶
Zobacz także TLS SNI dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także TLS SNI dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także TLS SNI dla: pgpool | PostgreSQL | MySQL | Firebird
Dokumentacja Pure-FTPd:
#top SNI config¶
Zobacz także SNI config dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także SNI config dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także SNI config dla: pgpool | PostgreSQL | MySQL | Firebird
#top SNI check¶
Zobacz także SNI check dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także SNI check dla: ProFTPd | Pure-FTPd | vsftpd | Dovecot | Postfix | OpenLDAP
Zobacz także SNI check dla: pgpool | PostgreSQL | MySQL | Firebird
#top Protocol Secure¶
Zobacz także Protocol Secure dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Protocol Secure dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Protocol Secure dla: pgpool | PostgreSQL | MySQL | Firebird
#top Remove Service Version Information¶
Zobacz także Remove Service Version Information dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Remove Service Version Information dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Remove Service Version Information dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję Banner)
#top Add HTTP Response Headers Security¶
Zobacz także Add HTTP Response Headers Security dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Add HTTP Response Headers Security dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Add HTTP Response Headers Security dla: pgpool | PostgreSQL | MySQL | Firebird
Niedotyczy! Zalecana konfiguracja dotyczy serwerów obsługujących protokół HTTP.
#top TLS Secure¶
Zobacz także TLS Secure dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także TLS Secure dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także TLS Secure dla: pgpool | PostgreSQL | MySQL | Firebird
#top Disable SSLv2/SSLv3 Protocols¶
Zobacz także Disable SSLv2/SSLv3 Protocols dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable SSLv2/SSLv3 Protocols dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable SSLv2/SSLv3 Protocols dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS Protocols)
Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566)
Vulnerability Summary for CVE-2014-3566
#top Disable weak Cipher Suites¶
Zobacz także Disable weak Cipher Suites dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable weak Cipher Suites dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable weak Cipher Suites dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS CipherSuite)
MITRE CVE dictionary (CVE-2015-2808)
Vulnerability Summary for CVE-2015-2808
Ivan Ristic Mitigating the BEAST attack on TLS
#top Disable RC4 CipherSuite¶
Zobacz także Disable RC4 CipherSuite dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable RC4 CipherSuite dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable RC4 CipherSuite dla: pgpool | PostgreSQL | MySQL | Firebird
Więcej informacji w analogicznym zagadnieniu: Disable weak Cipher Suites
#top Disable Anonymous CipherSuite¶
Zobacz także Disable Anonymous CipherSuite dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable Anonymous CipherSuite dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable Anonymous CipherSuite dla: pgpool | PostgreSQL | MySQL | Firebird
Więcej informacji w analogicznym zagadnieniu: Disable weak Cipher Suites
#top Disable SSL Compression¶
Zobacz także Disable SSL Compression dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Disable SSL Compression dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Disable SSL Compression dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS Compression)
The CRIME attack uses SSL Compression
Bug 857051 - (CRIME, CVE-2012-4929) CVE-2012-4929 SSL/TLS CRIME attack against HTTPS
The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.
Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:
and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.
Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw. For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it. Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it. Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.
CVE-2012-4929 SSL/TLS CRIME attack against HTTPS
The MITRE CVE dictionary describes this issue as:
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Find out more about CVE-2012-4929 from the MITRE CVE dictionary and NIST NVD.
Vulnerability Summary for CVE-2009-1891
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
#top Set custom DH parameters¶
Zobacz także Set custom DH parameters dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Set custom DH parameters dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Set custom DH parameters dla: pgpool | PostgreSQL | MySQL | Firebird
(Zobacz sekcję TLS Cert/Key File)
#top Avoid certificates with Signature Algorithm: SHA1¶
Zobacz także Avoid certificates with Signature Algorithm: SHA1 dla: Apache | Nginx | Lighttpd | thttpd | HAProxy | Varnish | SQUID
Zobacz także Avoid certificates with Signature Algorithm: SHA1 dla: ProFTPd | Pure-FTPd | vsftpd | Postfix | Dovecot | OpenLDAP
Zobacz także Avoid certificates with Signature Algorithm: SHA1 dla: pgpool | PostgreSQL | MySQL | Firebird
Mozilla plans to phase out support of SHA-1 hash algorithm
After Jan. 1, 2016, Firefox will present an "Untrusted Connection" error when a newly issued SHA-1 certificate is encountered, and after Jan. 1, 2017, Firefox will present an "Untrusted Connection" error whenever a SHA-1 certificate is encountered at all, according to a Tuesday post.
SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.
SHA-1 has been around for nearly two decades, and in recent years researchers have demonstrated SHA-1 mathematical weaknesses that could be exploited given enough time and computing power, Richard Barnes, engineering manager, cryptography and PKI, with Mozilla, told SCMagazine.com in a Wednesday email correspondence.
Mozilla Security Blog
Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. Mozilla, along with other browser vendors, is working on a plan to phase out support for the SHA-1 hash algorithm.
SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.
SHA-1 is nearly twenty years old, and is beginning to show its age. In the last few years, collision attacks undermining some properties of SHA-1 have been getting close to being practical. Collision attacks against the older MD5 hash algorithm have been used to obtain fraudulent certificates, so the improving feasibility of collision attacks against SHA-1 is concerning. In order to avoid the need for a rapid transition should a critical attack against SHA-1 be discovered, we are proactively phasing out SHA-1.
Zmodyfikowany ostatnio: 2018/04/11 23:28:36 (6 lat temu),
textsize: 25,1 kB,
htmlsize: 40,7 kB
Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...
Dodaj komentarzKomentarze użytkowników