1
我通過ssl.conf文件中的「SSLProtocol All -SSLv2 -SSLv3」爲我們的apache服務器應用了apache的POODLE修復程序,但在通過「SSLVerifyClient require」進行CAC客戶端身份驗證時遇到問題。我已經確認,如果我設置了「SSLVerifyClient none」,我們的Web應用程序可以通過https訪問並使用正確的TLSv1協議,但是一旦我設置了「SSLVerifyClient require」(因爲我們的Web應用程序啓用了CAC,在IE中顯示(IE禁用SSLv2和SSLv3)。我認爲它正在SSLVerifyClient階段重新談判SSLv3。任何人都知道如何解決這個問題在Oracle HTTP Server(OHS)Apache 2.2.13上?Oracle HTTP Server(OHS)Apache 2.2.13 Poodle SSLv3是否修復?
這裏是我的ssl.conf文件的一個片段:
###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf #
###################################################################
# OHS Listen Port
Listen 443
<IfModule ossl_module>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
<IfModule mpm_winnt_module>
SSLMutex "none"
</IfModule>
<IfModule !mpm_winnt_module>
SSLMutex pthread
</IfModule>
##
## SSL Virtual Host Context
##
<VirtualHost *:443>
# ServerAdmin [email protected]
DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
DirectoryIndex remagnum.html
ServerName TTSDS09083.TIMPO.OSD.MIL
# ServerAlias www.dummy-host.example.com
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
#SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA
SSLProtocol All -SSLv2 -SSLv3
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require.
#SSLVerifyClient none
SSLVerifyClient require
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off
#Path to the wallet
SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>
<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>
</IfModule>
我覈實,我沒有通過https://www.ssllabs.com/ssltest/使用的SSLv2或SSLv3的 所以我不明白爲什麼它不在IE中工作......在鉻中工作就好了。打算做一個數據包捕獲並嘗試升級Apache .. – emvee 2014-11-05 22:42:50
我只在IE瀏覽器的wireshark中收到此消息:「TLS記錄層:警報(級別:致命,描述:意外消息)」 – emvee 2014-11-06 16:18:53
升級到Oracle HTTP Server 11.1.1.7其中相當於Apache 2.2.22.0。我仍然無法在Internet Explorer 8中訪問我的應用程序,禁用了SSLV3並啓用了TLS 1.0-2。我現在正在接收來自Web服務器的TLS記錄層:警報(級別:致命,說明:關閉通知),作爲FIRST數據包在客戶端問候之前。然後它會從服務器發出證書請求,然後是另一個致命關閉通知 – emvee 2014-11-07 19:27:11