红帽全球峰会3.3. 识别环境中的 TLS 版本
重要
Red Hat OpenStack 平台已弃用 TLS 版本 1.0。另外,对于 NIST 批准,必须至少使用 TLS 1.2。如需更多信息,请参阅 选择、配置和使用传输层安全(TLS)实施的指南。
您可以使用 cipherscan 来决定部署提供的 TLS 版本。Cipherscan 可以从 https://github.com/mozilla/cipherscan 克隆。这个示例输出显示从 horizon 接收的结果:
注意
从非生产环境系统运行 cipherscan,因为它可能会在第一次运行时安装其他依赖项。
$ ./cipherscan https://openstack.lab.local
..............................
Target: openstack.lab.local:443
prio ciphersuite protocols pfs curves
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1
2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1
3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1
6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1
7 ECDHE-RSA-AES128-SHA TLSv1.2 ECDH,P-256,256bits prime256v1
8 ECDHE-RSA-AES256-SHA TLSv1.2 ECDH,P-256,256bits prime256v1
9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None
10 DHE-RSA-AES128-SHA TLSv1.2 DH,1024bits None
11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None
12 DHE-RSA-AES256-SHA TLSv1.2 DH,1024bits None
13 ECDHE-RSA-DES-CBC3-SHA TLSv1.2 ECDH,P-256,256bits prime256v1
14 EDH-RSA-DES-CBC3-SHA TLSv1.2 DH,1024bits None
15 AES128-GCM-SHA256 TLSv1.2 None None
16 AES256-GCM-SHA384 TLSv1.2 None None
17 AES128-SHA256 TLSv1.2 None None
18 AES256-SHA256 TLSv1.2 None None
19 AES128-SHA TLSv1.2 None None
20 AES256-SHA TLSv1.2 None None
21 DES-CBC3-SHA TLSv1.2 None None
Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
NPN protocols: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
Intolerance to:
SSL 3.254 : absent
TLS 1.0 : PRESENT
TLS 1.1 : PRESENT
TLS 1.2 : absent
TLS 1.3 : absent
TLS 1.4 : absent扫描服务器时,Cipherscan 公告对特定 TLS 版本的支持,这是将要协商的最高 TLS 版本。如果目标服务器正确遵循 TLS 协议,它将响应相互支持的最高版本,这可能低于 Cipherscan 最初发布的版本。如果服务器正在进行使用该特定版本与客户端建立连接,则它不被视为对那个协议版本的容错。如果没有建立连接(使用指定的版本或任何较低版本),则不支持该协议版本存在。例如:
Intolerance to:
SSL 3.254 : absent
TLS 1.0 : PRESENT
TLS 1.1 : PRESENT
TLS 1.2 : absent
TLS 1.3 : absent
TLS 1.4 : absent
在这个输出中,TLS 1.0 和 TLS 1.1 的容限报告为 PRESENT,这意味着无法建立连接,并且 Cipherscan 在广告对这些 TLS 版本的支持时无法连接。因此,最好认为那些在扫描的服务器上没有启用协议的版本(和任何较低)。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}