主页 / user-735084

stipundos's questions

Martin Hope
stipundos
Asked: 2025-04-23 20:41:57 +0800 CST
  • 8

我有一台 RHEL 9 服务器,我们的漏洞扫描程序在服务器上发现了以下两个我们需要禁用的密码套件。

TLS 1.2 密码:

  • TLS_RSA_WITH_AES_256_CCM
  • TLS_RSA_WITH_AES_256_GCM_SHA384

我找不到在哪里找到它们或禁用它们。我对 Linux 不是很有经验。

据我所知,这不是一个 Web 服务器。我检查了以下位置:

  • /etc/crypto-policies/config文件仅列出FUTURE
  • 命令的输出update-crypto-policies --showFUTURE
  • /etc/crypto-policies/policies/除了 modules文件夹外什么也没有列出。
  • /etc/crypto-policies/state有一个名为的文件,CURRENT.pol其信​​息如下:
# Policy FUTURE dump
#
# Do not parse the contents of this file with automated tools,
# it is provided for review convenience only.
#
# Baseline values for all scopes:
cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR
group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS
mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
protocol =
sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO ECDSA-SHA3-384 ECDSA-SHA2-384 ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED25519-FIDO EDDSA-ED448 RSA-PSS-SHA3-256 RSA-PSS-SHA2-256 RSA-PSS-SHA3-384 RSA-PSS-SHA2-384 RSA-PSS-SHA3-512 RSA-PSS-SHA2-512 RSA-PSS-RSAE-SHA3-256 RSA-PSS-RSAE-SHA2-256 RSA-PSS-RSAE-SHA3-384 RSA-PSS-RSAE-SHA2-384 RSA-PSS-RSAE-SHA3-512 RSA-PSS-RSAE-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384 RSA-SHA2-384 RSA-SHA3-512 RSA-SHA2-512
arbitrary_dh_groups = 1
min_dh_size = 3072
min_dsa_size = 3072
min_rsa_size = 3072
sha1_in_certs = 0
ssh_certs = 1
min_ec_size = 256
etm = ANY
__ems = DEFAULT
# Scope-specific properties derived for select backends:
cipher@gnutls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305
protocol@gnutls = TLS1.3 TLS1.2 DTLS1.2
cipher@java-tls = AES-256-GCM AES-256-CCM CHACHA20-POLY1305
protocol@java-tls = TLS1.3 TLS1.2 DTLS1.2
cipher@krb5 = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR AES-256-CBC
mac@krb5 = HMAC-SHA2-384 HMAC-SHA2-256 AEAD UMAC-128 HMAC-SHA2-512
protocol@libreswan = IKEv2
cipher@nss = AES-256-GCM AES-256-CCM CHACHA20-POLY1305
protocol@nss = TLS1.3 TLS1.2 DTLS1.2
cipher@openssl = AES-256-GCM AES-256-CCM CHACHA20-POLY1305
protocol@openssl = TLS1.3 TLS1.2 DTLS1.2

这是我看到的唯一一个列出密码和其他信息的文件。我尝试注释掉AES-256-GCMAES-256-CCM添加该cipher语句,然后重启服务器。但漏洞扫描器仍然能够识别这两个密码套件。我cipher@openssl也尝试了同样的语句。

感谢您对禁用这些密码的任何帮助。

rhel