没有合适的资源?快使用搜索试试~ 我知道了~
SSL 和windows及浏览器等兼容性报告
需积分: 37 6 下载量 160 浏览量
2018-11-29
14:41:07
上传
评论
收藏 566KB PDF 举报
温馨提示
试读
31页
本报告就如何配置SSL/TLS以提供最先进的身份验证和加密技术提出了一般性建议。ssl引擎提供的选项是从 自从Netscape开发SSL2.0以来的早期。TLS的引入使问题变得更具有挑战性,因为服务器和客户端根据各个ssl引擎提供不同的可用选项。 (OpenSSL、NSS、SChannel等)他们用。事实证明,找到中间地带是很困难的,特别是因为支持的协议和密码套件大多没有文档化。
资源推荐
资源详情
资源评论
TLS/SSL hardening and
compatibility Report 2011
Author: Thierry ZOLLER
contact@g-sec.lu
http://www.g-sec.lu
G
-
SEC™ is a non
-
commercial and independent group of
Information Security Specialists based in Luxembourg.
Update to the 2010
Report
TLS/SSL Harden
ing & Compatibility Report
2011
2
Table of Contents
Introduction ................................................................................................................................ 5
Revisions ..................................................................................................................................... 6
Introduction to SSL/TLS ............................................................................................................... 7
SSL/TLS Protocol versions ..................................................................................................................... 7
SSLv2 .............................................................................................................................................................. 7
Differences between SSLv3 and SSLv2............................................................................................................. 8
Differences between TLS v1and SSLv3 ............................................................................................................ 8
Differences between TLS v1.1 and TLS v1 ....................................................................................................... 8
Differences between TLSv1.2 and TLSv1.1 ...................................................................................................... 8
Protocol Key exchange ......................................................................................................................... 9
RSA ................................................................................................................................................................ 9
DH .................................................................................................................................................................. 9
DHE ................................................................................................................................................................ 9
ADH ............................................................................................................................................................... 9
ECDHE ............................................................................................................................................................ 9
Authentication ................................................................................................................................... 10
No authentication ........................................................................................................................................ 10
RSA .............................................................................................................................................................. 10
DSS............................................................................................................................................................... 10
ECDSA .......................................................................................................................................................... 10
KRB5 ............................................................................................................................................................ 10
PSK ............................................................................................................................................................... 10
Encryption ......................................................................................................................................... 11
NULL ............................................................................................................................................................ 11
AES............................................................................................................................................................... 11
CAMELLIA ..................................................................................................................................................... 11
RC4 / RC2 ..................................................................................................................................................... 11
IDEA ............................................................................................................................................................. 11
3DES............................................................................................................................................................. 11
DES .............................................................................................................................................................. 11
Minimum industry Encryption and Key length recommendations ....................................................... 12
Recommended Asymmetric key length ......................................................................................................... 12
Recommended Symmetric key length ........................................................................................................... 12
Recommended Hashing algorithm and size ................................................................................................... 12
Client-side and Server-side Compatibility Overview ................................................................... 13
Client-side: TLS / SSL Compatibility overview ...................................................................................... 14
Default Protocol support .............................................................................................................................. 14
Default Key exchange support ...................................................................................................................... 14
RSA support ................................................................................................................................................. 15
TLS/SSL Harden
ing & Compatibility Report
2011
3
Default ECC support ..................................................................................................................................... 16
Server-Side: TLS / SSL Compatibility overview .................................................................................... 17
Default protocol support .............................................................................................................................. 17
Default key exchange support....................................................................................................................... 17
Default RSA size support ............................................................................................................................... 18
Recommend Server-Side SSL configuration - Putting it all together - ......................................... 19
IIS7.5 .................................................................................................................................................. 19
IIS7..................................................................................................................................................... 20
IIS6 ................................................................................................................................................... 20
Apache https / Tomcat (OpenSSL 1.0) ................................................................................................ 21
Server configurations – undocumented behaviour .................................................................... 22
General Note ..................................................................................................................................... 22
IIS 7.5 / Windows 7 / Windows 2008R2 .............................................................................................. 22
IIS 6 / Windows 2003 ......................................................................................................................... 23
Apache httpd / Tomcat (OpenSSL) ..................................................................................................... 23
General Recommendations ....................................................................................................... 24
Minimum SSL configuration ............................................................................................................... 24
Recommended SSL configuration ....................................................................................................... 24
Sources ...................................................................................................................................... 24
Thanks ....................................................................................................................................... 25
Disclaimer.................................................................................................................................. 25
Copyright ................................................................................................................................... 25
Appendix ................................................................................................................................... 26
Example code - Listing ciphers (Windows7 & Windows 2008R2) ........................................................ 26
Example Code - Setting preferred cipher (Windows7 & Windows 2008R2) ......................................... 27
Code - Remove ciphers ...................................................................................................................... 27
Default Windows SCHANNEL cipher support ...................................................................................... 28
Windows 7 and Windows Server 2008R2 ...................................................................................................... 28
Windows Vista AND Windows Server 2008 R1 .............................................................................................. 29
Windows XP,2000,2003 ................................................................................................................................ 29
Default Browser support .................................................................................................................... 30
IE6, 7, 8 – Windows XP, 2003, 2000 .............................................................................................................. 30
IE7, IE 8 – Windows Vista .............................................................................................................................. 30
TLS/SSL Harden
ing & Compatibility Report
2011
4
Firefox, Google Chrome (NSS) - All Operation Systems ................................................................................. 30
Opera ........................................................................................................................................................... 31
TLS/SSL Interop Test services ............................................................................................................. 31
TLS/SSL Harden
ing & Compatibility Report
2011
5
Introduction
This report gives general recommendations as to how to configure SSL/TLS in order to provide
state of the art authentication and encryption. The options offered by SSL engines grew from
the early days since Netscape developed SSL2.0. The introduction of TLS made matters more
challenging as servers and clients offer different sets of available options depending on which
SSL engine (OpenSSL, NSS, SCHANNEL etc...) they use. Finding the middle ground has proven
difficult especially as the supported protocols and cipher suites are mostly not documented.
To make matters more complicated Browsers may not use all functionality offered by the SSL
stack, this report will only list functionality used by current Browsers.
This report provides an overview of the currently available TLS options across Servers and
Clients and allows you to offer support for a wide variety of Browsers an offer “good enough”
security.
The 2011 version was updated as follows:
Google Chrome moved away from Microsoft SCHANNEL and now uses Network Security
Services (NSS) offering high end cryptography on legacy windows systems (XP,2000).
Added Opera Cipher and Protocol Support
Style Errors
During the creation of this Document two Tools have been developed:
SSL Harden (beta) – Allows users of Windows 2000, XP, Vista, 7 and particularly
administrators of Windows Server 2003 & 2008R2 to harden SSL/TLS support.
Administrators can manually edit and backup the SSL configuration and set PCI-DSS
compliant SSL rules with a click of a button. Link
SSL Audit (alpha) - A remote SSL audit tool able scan for SSL/TLS support against remote
servers. SSL Audit uses its own small parsing engine and does not rely on OpenSSL or
other SSL engines allowing it to detect ciphers not supported by OpenSSL. Link
Please note that this summary does not take into account the arrival of quantum computing.
Large quantum computers able to crack large RSA keys are foreseen for 2014 by the ARDA and
2018 by Prof Lloyd
1
. Shor’s algorithm could then be used to break the RSA key sizes very fast.
We recommend to push for ECC based certificates as soon as possible.
The information is believed to be correct at the time of writing, due to the nature of
undocumented features there might be slight errors in this version if you believe the
1
http://synaptic-labs.com/ecosystem/context-qc-relevant-today.html
剩余30页未读,继续阅读
资源评论
myf526cn
- 粉丝: 0
- 资源: 11
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功