iT邦幫忙

1

網站內外部SSL CHIP掃描出現不同結果

客戶端有一台主機Server 2012R2 Standard
我司只能用遠端桌面進行維護

前陣子因為資安因素,對https設定做了一些調整

本機使用TestSSLServer4掃描結果,確實有符合客戶的要求

  TLSv1.0:
     server selection: uses client preferences
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
中間略過
=========================================
Server compression support: no
Server time:
Secure renegotiation support: yes
Encrypt-then-MAC support (RFC 7366): no
SSLv2 ClientHello format (for SSLv3+): yes
Minimum EC size (no extension):   521
Minimum EC size (with extension): 256
ECDH parameter reuse: yes
Supported curves (size and name) ('*' = selected by server):
    256  secp256r1 (P-256)
    384  secp384r1 (P-384)
  * 521  secp521r1 (P-521)
=========================================
WARN[CS006]: Server supports cipher suites with no forward secrecy.

但是網站經由外部ip掃描的結果卻變了

  TLSv1.0:
     server selection: complex
     3-- (key:  RSA)  RSA_WITH_3DES_EDE_CBC_SHA * (多出來的)*
     3-- (key:  RSA)  RSA_WITH_AES_128_CBC_SHA
     3-- (key:  RSA)  RSA_WITH_AES_256_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * (多出來的)*
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_128_CBC_SHA
     3f- (key:  RSA)  ECDHE_RSA_WITH_AES_256_CBC_SHA
中間略過
=========================================
Server compression support: no
Server time:
Secure renegotiation support: no  * (變成no了)*
Encrypt-then-MAC support (RFC 7366): no
SSLv2 ClientHello format (for SSLv3+): yes
Minimum EC size (no extension):   256
Minimum EC size (with extension): 224
ECDH parameter reuse:  no  * (變成no了)*
Supported curves (size and name) ('*' = selected by server):
    224  secp224r1 (P-224) * (多出224)*
  * 256  secp256r1 (P-256)
    384  secp384r1 (P-384)
    521  secp521r1 (P-521)
=========================================
WARN[CS006]: Server supports cipher suites with no forward secrecy.
WARN[RN001]: Server does not support secure renegotiation. * (多出來的)*

iis log中的client ip並不是固定的,應該不會是proxy的關係
目前懷疑nat的policy有開啟了deep inspection

不知有大大能提供其他的方向嗎?

1 個回答

3
raytracy
iT邦大神 1 級 ‧ 2017-10-16 23:40:12

你比對一下兩個掃描出來的憑證是不是同一張?
(看兩者讀出來的憑證指紋碼是否相同即知)

如果不是同一張的話, 代表你的防火牆把憑證偷換掉了, 請查看設備中哪一個設定會造成這個問題? (通常是對 https 進行防毒防駭檢查就會這樣)

我要發表回答

立即登入回答