漏洞描述:
It was possible to detect the usage of the deprecated TLSv1.0 and/or TLSv1.1 protocol on this system.
Medium 9001/tcp
Medium (CVSS: 4.3)
NVT: SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection
Summary
It was possible to detect the usage of the deprecated TLSv1.0 and/or TLSv1.1 protocol on this system.
Vulnerability Detection Result
In addition to TLSv1.2+ the service is also providing the deprecated TLSv1.0 and
,→ TLSv1.1 protocols and supports one or more ciphers. Those supported ciphers c
,→an be found in the 'SSL/TLS: Report Supported Cipher Suites' (OID: 1.3.6.1.4.1
,→.25623.1.0.802067) VT.
Impact
An attacker might be able to use the known cryptographic aws to eavesdrop the connection
between clients and the service to get access to sensitive data transferred within the secured
connection.
Furthermore newly uncovered vulnerabilities in this protocols won't receive security updates
anymore.
Solution:
Solution type: Mitigation
It is recommended to disable the deprecated TLSv1.0 and/or TLSv1.1 protocols in favor of the
TLSv1.2+ protocols. Please see the references for more information.
Aected Software/OS
All services providing an encrypted communication using the TLSv1.0 and/or TLSv1.1 protocols.
Vulnerability Insight
The TLSv1.0 and TLSv1.1 protocols contain known cryptographic aws like:
. . . continues on next page . . .
2 RESULTS PER HOST 5
. . . continued from previous page . . .
- CVE-2011-3389: Browser Exploit Against SSL/TLS (BEAST)
- CVE-2015-0204: Factoring Attack on RSA-EXPORT Keys Padding Oracle On Downgraded
Legacy Encryption (FREAK)
Vulnerability Detection Method
Check the used TLS protocols of the services provided by this system.
Details: SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection
OID:1.3.6.1.4.1.25623.1.0.117274
Version used: 2021-07-19T08:11:48Z
References
cve: CVE-2011-3389
cve: CVE-2015-0204
解决办法:禁用已弃用的TLSv1.0和/或TLSv1.1协议,以支持TLSv1.2+协议。
TLS发展历史:
| 协议 | 发布时间 | 状态 |
|---|---|---|
| SSL 1.0 | 未公布 | 未公布 |
| SSL 2.0 | 1995年 | 已于2011年弃用 |
| SSL 3.0 | 1996年 | 已于2015年弃用 |
| TLS 1.0 | 1999年 | 于2021年弃用 |
| TLS 1.1 | 2006年 | 于2021年弃用 |
| TLS 1.2 | 2008年 | |
| TLS 1.3 | 2018年 |
1、Nginx配置
如果conf/nginx.conf配置了ssl证书,且default_server的server域里面版本如下
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
则删除TLS1.0 TLSv1.1、增加TLS1.3
ssl_protocols TLSv1.2 TLSv1.3;
修改完后,执行./sbin/nginx -s reload重载生效。
2、Apache配置
修改/usr/local/apache/conf/extra/httpd-ssl.conf文件
vi /usr/local/apache/conf/extra/httpd-ssl.conf
可以看到版本还是SSLv3,修改为如下
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
SSLProxyProtocol -ALL +TLSv1.2 +TLSv1.3
重启Apache
/usr/local/apache/bin/apachectl restart