2017-04-27
2018-05-21
因為 iMPERVA 11.5 WAF 並不是所有 HTTPS SSL Cipher 都支援,為了讓 WAF能全面監控,最近被要求調整 Web Server 支援的 Cipher 種類。
先用 nmap 7.40 測試 Web Server ( Windows Server 2016 的 IIS),得到支援的 Cipher種類
nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.test.idv.tw
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-25 08:23 ¥x¥_?D·CRE?! Nmap scan report for www.test.idv.tw (117.56.7.24) Host is up (0.00s latency). rDNS record for 117.56.7.24: system.icst.org.tw PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=www.test.idv.tw/organizationName=\xE8\xA1\x8C\xE6\x94\xBF\xE9\x99\xA2/countryName=TW | Subject Alternative Name: DNS:www.test.idv.tw | Issuer: organizationName=\xE8\xA1\x8C\xE6\x94\xBF\xE9\x99\xA2/countryName=TW | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-05-12T02:08:55 | Not valid after: 2018-05-12T02:08:55 | MD5: 97cb ef80 b922 8383 3d84 305d 482c 67fb |_SHA-1: 1ebc bcdc fc69 3417 8507 a88e 299d 4c65 d7ad de48 | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C | TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C | compressors: | NULL | cipher preference: server | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 5.80 seconds |
開啟手冊 P.80 ~ P.81
Imperva-SecureSphere-v11.5-Web-Security-User-Guide.pdf
到 P.80 開頭,把 nmap 結果的 Cipher 拿去 .pdf 中搜尋,例如搜尋 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,在 P,.80~P.81有找到,表示有支援。
再回到 P.80 頁開頭,搜尋下一個 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,重複步驟。
最後找到2個不支援的
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
要關閉這個,需要手動修改 登錄 (Registry),太麻煩,找到一個工具
IIS Crypto 2.0 Build 11 - Released July 15, 2016
https://www.nartac.com/Products/IISCrypto
支援 Windows Server 2008, 2012, 2016
手動重新啟動,完工。
********************************************************************************
對於網站而言,一般點選【Best Practices】按鈕就會把一些不合適的關閉掉。(較不安全的)
(下圖) 點左邊 Schannel,點下邊【Best Practices】按鈕
(下圖) 點左邊 Cipher Suites,點下邊【Best Practices】按鈕 (前面步驟可能已經關閉不合適的)
(下圖) 按下右下角【Apply】按鈕,提示要 reboot 後才會生效。
請自己手動重新啟動電腦。
(完)
相關
[研究] 顯示你的瀏覽器支援的 HTTPS ( SSL) Cipher 加密方式
http://shaurong.blogspot.com/2017/07/https-ssl-cipher.html
[研究] 瀏覽器預設 HTTPS SSL Cipher 加密優先順序
http://shaurong.blogspot.com/2017/07/https-ssl-cipher_22.html
[研究] 調整 Windows 2016 IIS 的 HTTPS (SSL) 加密 (Cipher),符合 WAF 支援
http://shaurong.blogspot.com/2017/04/windows-2016-iis-https-ssl-cipher-waf.html
Cipher Suites in TLS/SSL (Schannel SSP)
https://msdn.microsoft.com/zh-tw/library/windows/desktop/aa374757(v=vs.85).aspx
How to Update Your Windows Server Cipher Suite for Better Security
https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/
讓你的 SSL 更安全 – 移除弱 SSL 加密方式 (Cipher)
SSL安全性如何強化,含括了當前流行的各種伺服器的設定方式,包括IIS, Apache, F5 Load balancer, A10 等
https://itbwtalk.com/2014/03/17/%E6%B2%92%E9%82%A3%E9%BA%BC%E5%AE%89%E5%85%A8%E7%9A%84-ssl-%E7%A7%BB%E9%99%A4%E5%BC%B1-ssl-%E5%8A%A0%E5%AF%86%E6%96%B9%E5%BC%8F-cipher/
如何停用 IIS5 / IIS6 / IIS7 的 SSL v2 加密協定 (含原理說明)
http://blog.miniasp.com/post/2010/03/10/How-to-disable-SSL-v2-in-IIS-5-6-7.aspx
How to Disable SSL 2.0 and SSL 3.0 in IIS 7
https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
Require Strong Ciphers in Windows IIS 7.5 and 8
https://www.ssl.com/how-to/require-strong-ciphers-in-windows-iis-7-5-and-8/
沒有留言:
張貼留言