在Apache中,如何禁用AES128?

分享于 

2分钟阅读

互联网

  繁體

问题:


SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:!AES128



它仍在使用:


TLS_AES_128_GCM_SHA256 (0x1301) 




SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256


SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384


SSLOpenSSLConfCmd ECDHParameters secp384r1


SSLHonorCipherOrder On


SSLProtocol -all +TLSv1.2 +TLSv1.3


SSLPassPhraseDialog builtin


SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"


SSLSessionCacheTimeout 300


SSLUseStapling On


SSLStaplingCache "shmcb:ssl_stapling(32768)"



<Virtualhost *:443>


SSLEngine On


SSLOptions +StdEnvVars +ExportCertData


SSLCertificateFile "/path/to/trusted/ssl.crt"


SSLcertificateKeyFile "/path/to/its/ssl.key"


</Virtualhost>



根据需要调整日志文件位置,


答案1:

普通的SSLCipherSuite选项仅设置TLS 1.2及更低版本的密码。TLS_AES_128_GCM_SHA256虽然是TLS 1.3密码,但并未被TLS 1.2-密码字符串掩盖。要设置TLS 1.3密码显式指定协议,即:


SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384





Apache  AES  
相关文章