即使已禁用指定的 TLS 版本,也会在安全扫描中报告 TLS 漏洞
适用于
- ONTAP 9.9.0 及更高版本
- 传输层安全性 (TLS)
- Qualys ID 38794
问题描述
- 安全扫描报告显示了集群中某个 IP 的漏洞,表明启用了较旧的 TLS 版本:
vulnerability(ies): Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)
- 但是,从集群中看不到该 TLS 版本:
Cluster::> set advanced
Cluster::*> security config show -fields supported-protocols
interface supported-protocols
--------- -------------------
SSL TLSv1.2, TLSv1.3
- Linux 主机受影响 IP 的 nmap 输出列出了较旧 TLS 版本的密码:
Linux@Host# nmap -sV --script ssl-enum-ciphers.nse -p 443 10.XX.XX.XXX
Starting Nmap 5.51 ( http://nmap.org ) at 2023-05-17 09:12 PDT
Nmap scan report for user.group.com (10.XX.XX.XXX)
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
| ssl-enum-ciphers:
| TLSv1.1
| Ciphers (4)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.2
| Ciphers (12)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| .......