Ich habe versucht, TLSv1.0 und TLS1.1 in Apache zu verhindern, aber die Protokolle sind immer noch aktiv

tag-icon tag-icon apache-http-server ssl tls
Ich habe versucht, TLSv1.0 und TLS1.1 in Apache zu verhindern, aber die Protokolle sind immer noch aktiv

Ich habe eine Website (eine von wenigen) auf einem Server. Ich versuche, die Punktzahl meiner Domain zu erhöhen inhttps://www.ssllabs.com/ssltest- aber es scheint nicht zu funktionieren.

Inhalt von:
/etc/apache2/sites-available/<my-doamin>-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName <my-doamin>

        DocumentRoot /var/www/<my-doamin>

        SSLEngine on
        SSLProtocol -all +TLSv1.2 +TLSv1.3
        SSLCipherSuite HIGH:!aNULL:!MD5
        SSLHonorCipherOrder on
        SSLCipherSuite HIGH:!aNULL:!MD5:!RSA:!DES:!DSS:!RC4:!3DES:!ECDH:!ECDSA
        ServerAdmin webadmin@<my-doamin>

        SSLCertificateFile /etc/letsencrypt/live/<my-doamin>/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/<my-doamin>/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

Und hier ist das Ergebnis im SSL-Test
-Screenshot:
Bildbeschreibung hier eingeben

Auch wenn dieser Befehl von einer externen Quelle ausgeführt wurde: openssl s_client -connect <my-domain>:443 -tls1

Ich bekomme Folgendes:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = <my-domain>
verify return:1
405765AEA07F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:../ssl/statem/statem_clnt.c:2254:
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = <my-domain>
   i:C = US, O = Let's Encrypt, CN = E1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 29 03:26:59 2024 GMT; NotAfter: Apr 28 03:26:58 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = E1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhzCCAw6gAwIBAgISBKR91GClJ2JyCdcF4wDKc+DMMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yNDAxMjkwMzI2NTlaFw0yNDA0MjgwMzI2NThaMBcxFTATBgNVBAMTDGJs
dWUtdGVhbS5jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL/AThKeow/xORC6
o0q7YkIwiTULx+qAvFi1C9SO+qc5wAtE58fo+1n8kACySqKU5J5/slVDa60Eck/J
ii4knaWjggIdMIICGTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGrmg7iCgUtO6awO
Z4XpaJp/RQoDMB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CDiou
Ymx1ZS10ZWFtLmNhggxibHVeLXRlYW0uY2EwEwYDVR0gBAwwCjAIBgZngQwBAgEw
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBIsONr2qZHNA/lagL6nTDrHFIBy1bd
LIHZu7+rOdiEcwAAAY1TeHawAAAEAwBGMEQCIBz+Z+XIW0FFXQ2xI5kqzT9V8iPU
IyNo5t896Z4Q4u33AiBvfinhTQhte4V/rNkw7lJg3j7Hdw0WiRi3nqc9ZWQFvQB2
ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjVN4dq8AAAQDAEcw
RQIgMcN+qbAoU9TL7CaNb2tdVaJTxlNaKIZe8oR3vF10OT4CIQDKk/L35P/N8fp4
/r77fD/MyHKbdkubxeTkgUSXwHAmjzAKBggqhkjOPQQDAwNnADBkAjBPHSAIZKq5
VjaMkh4v6dp3GhEmodkVkJEV27Y5xA/JElNnDk7hI1HSvWCN9MEU+pcCMF/keTxj
H99ZByK8kWn9QWEm8JHXtCvgqDe74LLWF0GGDHuTaTa85y6nJ7N7EFsdJA==
-----END CERTIFICATE-----
subject=CN = <my-domain>
issuer=C = US, O = Let's Encrypt, CN = E1
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4340 bytes and written 132 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1711398075
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Inhalt von/etc/letsencrypt/options-ssl-apache.conf

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     on
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

verwandte Informationen