即使指定的TLS版本已禁用、安全扫描也会报告TLS漏洞
适用场景
- ONTAP 9
- 传输层安全(Transport Layer Security、TLS)
- 查询ID 38配合 使用
问题描述
- 安全扫描报告显示集群中某个IP的漏洞、指出已启用旧版TLS:
vulnerability(ies): Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)
- 但是、从集群中看不到该TLS版本:
Cluster::> set advanced
Cluster::*> security config show -fields supported-protocols
interface supported-protocols
--------- -------------------
SSL TLSv1.2, TLSv1.3
- Linux主机中受影响IP的nmap输出 将列出旧版TLS的加密法:
Linux@Host# nmap -sV --script ssl-enum-ciphers.nse -p 443 10.XX.XX.XXX
Starting Nmap 5.51 ( http://nmap.org ) at 2023-05-17 09:12 PDT
Nmap scan report for user.group.com (10.XX.XX.XXX)
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
| ssl-enum-ciphers:
| TLSv1.1
| Ciphers (4)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.2
| Ciphers (12)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| .......