没有合适的资源?快使用搜索试试~ 我知道了~
首页SSL 和windows及浏览器等兼容性报告
SSL 和windows及浏览器等兼容性报告
需积分: 37 6 下载量 132 浏览量
更新于2023-05-21
评论
收藏 566KB PDF 举报
本报告就如何配置SSL/TLS以提供最先进的身份验证和加密技术提出了一般性建议。ssl引擎提供的选项是从 自从Netscape开发SSL2.0以来的早期。TLS的引入使问题变得更具有挑战性,因为服务器和客户端根据各个ssl引擎提供不同的可用选项。 (OpenSSL、NSS、SChannel等)他们用。事实证明,找到中间地带是很困难的,特别是因为支持的协议和密码套件大多没有文档化。
资源详情
资源评论
资源推荐
TLS/SSL hardening and
compatibility Report 2011
Author: Thierry ZOLLER
contact@g-sec.lu
http://www.g-sec.lu
G
-
SEC™ is a non
-
commercial and independent group of
Information Security Specialists based in Luxembourg.
Update to the 2010
Report
TLS/SSL Harden
ing & Compatibility Report
2011
2
Table of Contents
Introduction ................................................................................................................................ 5
Revisions ..................................................................................................................................... 6
Introduction to SSL/TLS ............................................................................................................... 7
SSL/TLS Protocol versions ..................................................................................................................... 7
SSLv2 .............................................................................................................................................................. 7
Differences between SSLv3 and SSLv2............................................................................................................. 8
Differences between TLS v1and SSLv3 ............................................................................................................ 8
Differences between TLS v1.1 and TLS v1 ....................................................................................................... 8
Differences between TLSv1.2 and TLSv1.1 ...................................................................................................... 8
Protocol Key exchange ......................................................................................................................... 9
RSA ................................................................................................................................................................ 9
DH .................................................................................................................................................................. 9
DHE ................................................................................................................................................................ 9
ADH ............................................................................................................................................................... 9
ECDHE ............................................................................................................................................................ 9
Authentication ................................................................................................................................... 10
No authentication ........................................................................................................................................ 10
RSA .............................................................................................................................................................. 10
DSS............................................................................................................................................................... 10
ECDSA .......................................................................................................................................................... 10
KRB5 ............................................................................................................................................................ 10
PSK ............................................................................................................................................................... 10
Encryption ......................................................................................................................................... 11
NULL ............................................................................................................................................................ 11
AES............................................................................................................................................................... 11
CAMELLIA ..................................................................................................................................................... 11
RC4 / RC2 ..................................................................................................................................................... 11
IDEA ............................................................................................................................................................. 11
3DES............................................................................................................................................................. 11
DES .............................................................................................................................................................. 11
Minimum industry Encryption and Key length recommendations ....................................................... 12
Recommended Asymmetric key length ......................................................................................................... 12
Recommended Symmetric key length ........................................................................................................... 12
Recommended Hashing algorithm and size ................................................................................................... 12
Client-side and Server-side Compatibility Overview ................................................................... 13
Client-side: TLS / SSL Compatibility overview ...................................................................................... 14
Default Protocol support .............................................................................................................................. 14
Default Key exchange support ...................................................................................................................... 14
RSA support ................................................................................................................................................. 15
TLS/SSL Harden
ing & Compatibility Report
2011
3
Default ECC support ..................................................................................................................................... 16
Server-Side: TLS / SSL Compatibility overview .................................................................................... 17
Default protocol support .............................................................................................................................. 17
Default key exchange support....................................................................................................................... 17
Default RSA size support ............................................................................................................................... 18
Recommend Server-Side SSL configuration - Putting it all together - ......................................... 19
IIS7.5 .................................................................................................................................................. 19
IIS7..................................................................................................................................................... 20
IIS6 ................................................................................................................................................... 20
Apache https / Tomcat (OpenSSL 1.0) ................................................................................................ 21
Server configurations – undocumented behaviour .................................................................... 22
General Note ..................................................................................................................................... 22
IIS 7.5 / Windows 7 / Windows 2008R2 .............................................................................................. 22
IIS 6 / Windows 2003 ......................................................................................................................... 23
Apache httpd / Tomcat (OpenSSL) ..................................................................................................... 23
General Recommendations ....................................................................................................... 24
Minimum SSL configuration ............................................................................................................... 24
Recommended SSL configuration ....................................................................................................... 24
Sources ...................................................................................................................................... 24
Thanks ....................................................................................................................................... 25
Disclaimer.................................................................................................................................. 25
Copyright ................................................................................................................................... 25
Appendix ................................................................................................................................... 26
Example code - Listing ciphers (Windows7 & Windows 2008R2) ........................................................ 26
Example Code - Setting preferred cipher (Windows7 & Windows 2008R2) ......................................... 27
Code - Remove ciphers ...................................................................................................................... 27
Default Windows SCHANNEL cipher support ...................................................................................... 28
Windows 7 and Windows Server 2008R2 ...................................................................................................... 28
Windows Vista AND Windows Server 2008 R1 .............................................................................................. 29
Windows XP,2000,2003 ................................................................................................................................ 29
Default Browser support .................................................................................................................... 30
IE6, 7, 8 – Windows XP, 2003, 2000 .............................................................................................................. 30
IE7, IE 8 – Windows Vista .............................................................................................................................. 30
TLS/SSL Harden
ing & Compatibility Report
2011
4
Firefox, Google Chrome (NSS) - All Operation Systems ................................................................................. 30
Opera ........................................................................................................................................................... 31
TLS/SSL Interop Test services ............................................................................................................. 31
TLS/SSL Harden
ing & Compatibility Report
2011
5
Introduction
This report gives general recommendations as to how to configure SSL/TLS in order to provide
state of the art authentication and encryption. The options offered by SSL engines grew from
the early days since Netscape developed SSL2.0. The introduction of TLS made matters more
challenging as servers and clients offer different sets of available options depending on which
SSL engine (OpenSSL, NSS, SCHANNEL etc...) they use. Finding the middle ground has proven
difficult especially as the supported protocols and cipher suites are mostly not documented.
To make matters more complicated Browsers may not use all functionality offered by the SSL
stack, this report will only list functionality used by current Browsers.
This report provides an overview of the currently available TLS options across Servers and
Clients and allows you to offer support for a wide variety of Browsers an offer “good enough”
security.
The 2011 version was updated as follows:
Google Chrome moved away from Microsoft SCHANNEL and now uses Network Security
Services (NSS) offering high end cryptography on legacy windows systems (XP,2000).
Added Opera Cipher and Protocol Support
Style Errors
During the creation of this Document two Tools have been developed:
SSL Harden (beta) – Allows users of Windows 2000, XP, Vista, 7 and particularly
administrators of Windows Server 2003 & 2008R2 to harden SSL/TLS support.
Administrators can manually edit and backup the SSL configuration and set PCI-DSS
compliant SSL rules with a click of a button. Link
SSL Audit (alpha) - A remote SSL audit tool able scan for SSL/TLS support against remote
servers. SSL Audit uses its own small parsing engine and does not rely on OpenSSL or
other SSL engines allowing it to detect ciphers not supported by OpenSSL. Link
Please note that this summary does not take into account the arrival of quantum computing.
Large quantum computers able to crack large RSA keys are foreseen for 2014 by the ARDA and
2018 by Prof Lloyd
1
. Shor’s algorithm could then be used to break the RSA key sizes very fast.
We recommend to push for ECC based certificates as soon as possible.
The information is believed to be correct at the time of writing, due to the nature of
undocumented features there might be slight errors in this version if you believe the
1
http://synaptic-labs.com/ecosystem/context-qc-relevant-today.html
剩余30页未读,继续阅读
myf526cn
- 粉丝: 0
- 资源: 11
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- RTL8188FU-Linux-v5.7.4.2-36687.20200602.tar(20765).gz
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
- SPC统计方法基础知识.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0