Come possiamo proteggere la porta https di AEM dalle più recenti vulnerabilità di sicurezza SSL / TLS? Per esempio, LOGJAM o SWEET32.

Ambiente

AEM 6.x

Passaggi

Per proteggersi da varie vulnerabilità SSL sulla porta HTTPS di un'istanza di AEM, segui la procedura seguente.

  1. Accedi al tuo server AEM e aggiungi il parametro JVM sotto al comando java:

    -Djdk.tls.ephemeralDHKeySize=2048

    Se si utilizza lo script crx-quickstart/bin/bin/start come fornito, allora questo passaggio è svolto aggiungendo la variabile di cui sopra alla variabile CQ_JVM_OPTS.

  2. Riavvia AEM dopo aver aggiunto l'opzione JVM.  Puoi confermare che l'opzione JVM / proprietà del sistema è stata selezionata in questa schermata https://aem-host:port/system/console/jmx/java.lang%3Atype%3DRuntime.  Cerca sulla pagina e conferma che la proprietàjdk.tls.ephemeralDHKeySize è ora impostata su 2048.

  3. Se hai configurato il supporto https, vai su https://aem-host:port/crx/de/index.jsp e accedi come amministratore.

  4. Vai al percorso /apps/system/config/org.apache.felix.http.config.

  5. Modifica il file di configurazione.  Sostituisci le quattro proprietà di configurazione elencate di seguito nel file con i valori forniti [1].  Se una variabile non esiste nella configurazione, copiala alla fine del file di configurazione.  

    • org.apache.felix.https.jetty.ciphersuites.excluded
    • org.apache.felix.https.jetty.ciphersuites.included
    • org.apache.felix.https.jetty.protocols.excluded
    • org.apache.felix.https.jetty.protocols.included

    Di seguito viene fornito un file di configurazione di esempio [2].

  6. Fai clic su Salva tutto.

  7. Dopo aver applicato la configurazione aggiornata, assicurati che la configurazione abbia avuto effetto.  Vai a questo URL https://aem-host:port/system/console/configMgr/org.apache.felix.http.config e controlla la configurazione per vedere che i valori delle proprietà siano stati riportati.

  8. Utilizza uno strumento come testssh.sh per assicurarti che il sistema non sia più vulnerabile.

Informazioni aggiuntive

Si consiglia di configurare i sistemi con la sicurezza ottimale per accedere direttamente all'istanza AEM. [1]

org.apache.felix.https.jetty.ciphersuites.excluded=[\
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",\
"SSL_DHE_DSS_WITH_AES_128_CBC_SHA",\
"SSL_DHE_DSS_WITH_AES_256_CBC_SHA",\
"SSL_DHE_DSS_WITH_DES_CBC_SHA",\
"SSL_DHE_DSS_WITH_RC4_128_SHA",\
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",\
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"SSL_DHE_RSA_WITH_AES_128_CBC_SHA",\
"SSL_DHE_RSA_WITH_AES_256_CBC_SHA",\
"SSL_DHE_RSA_WITH_DES_CBC_SHA",\
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",\
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",\
"SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",\
"SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA",\
"SSL_RSA_WITH_DES_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",\
"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",\
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",\
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"PCT_SSL_CIPHER_TYPE_1ST_HALF",\
"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",\
"SSL_DH_anon_WITH_RC4_128_MD5",\
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",\
"SSL_RSA_WITH_RC4_128_MD5",\
"SSL_RSA_WITH_RC4_128_SHA",\
"SSL2_RC4_128_EXPORT40_WITH_MD5",\
"SSL2_RC4_128_WITH_MD5",\
"SSL2_RC4_64_WITH_MD5",\
"TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5",\
"TLS_DH_Anon_WITH_RC4_128_MD5",\
"TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",\
"TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256",\
"TLS_DHE_DSS_WITH_RC4_128_SHA",\
"TLS_DHE_DSS_WITH_RC4_128_SHA256",\
"TLS_DHE_PSK_WITH_RC4_128_SHA",\
"TLS_DHE_PSK_WITH_RC4_128_SHA256",\
"TLS_ECDH_Anon_WITH_RC4_128_SHA",\
"TLS_ECDH_Anon_WITH_RC4_128_SHA256",\
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",\
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA256",\
"TLS_ECDH_RSA_WITH_RC4_128_SHA",\
"TLS_ECDH_RSA_WITH_RC4_128_SHA256",\
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",\
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256",\
"TLS_ECDHE_PSK_WITH_RC4_128_SHA",\
"TLS_ECDHE_PSK_WITH_RC4_128_SHA256",\
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",\
"TLS_ECDHE_RSA_WITH_RC4_128_SHA256",\
"TLS_KRB5_EXPORT_WITH_RC4_40_MD5",\
"TLS_KRB5_EXPORT_WITH_RC4_40_SHA",\
"TLS_KRB5_EXPORT_WITH_RC4_40_SHA256",\
"TLS_KRB5_WITH_RC4_128_MD5",\
"TLS_KRB5_WITH_RC4_128_SHA",\
"TLS_KRB5_WITH_RC4_128_SHA256",\
"TLS_PSK_WITH_RC4_128_SHA",\
"TLS_PSK_WITH_RC4_128_SHA256",\
"TLS_RSA_EXPORT_WITH_RC4_40_MD5",\
"TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",\
"TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",\
"TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256",\
"TLS_RSA_PSK_WITH_RC4_128_SHA",\
"TLS_RSA_PSK_WITH_RC4_128_SHA256",\
"TLS_RSA_WITH_RC4_128_MD5",\
"TLS_RSA_WITH_RC4_128_SHA",\
"TLS_RSA_WITH_RC4_128_SHA256",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
".*3DES_EDE_CBC.*"\
]
org.apache.felix.https.jetty.ciphersuites.included=[ \
  "", \
  ]
org.apache.felix.https.jetty.protocols.excluded=[ \
  "SSLv3", \
  "SSL", \
  "SSLv2", \
  "SSLv2Hello", \
  "TLSv1.0", \
  "TLSv1.1", \
  ]
org.apache.felix.https.jetty.protocols.included=[ \
  "TLSv1.2"
  ]

[2] Esempio di /apps/system/config/org.apache.felix.http.config

# Configuration created by Apache Sling JCR Installer
org.apache.felix.http.timeout=I"60000"
org.apache.felix.http.jetty.acceptors=I"-1"
org.apache.felix.https.clientcertificate="none"
org.apache.felix.https.jetty.protocols.excluded=["SSLv3","SSL","SSLv2","SSLv2Hello","TLSv1.0","TLSv1.1"]
org.apache.felix.http.jetty.threadpool.max=I"-1"
org.osgi.service.http.port=I"4504"
org.eclipse.jetty.servlet.CheckingRemoteSessionIdEncoding=B"true"
org.apache.felix.http.enable=B"true"
org.apache.felix.https.jetty.protocols.included=["TLSv1.2"]
org.apache.felix.https.keystore="/opt/aem/author62/crx-quickstart/ssl/keystorename.keystore"
org.apache.felix.https.jetty.ciphersuites.excluded=[\
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",\
"SSL_DHE_DSS_WITH_AES_128_CBC_SHA",\
"SSL_DHE_DSS_WITH_AES_256_CBC_SHA",\
"SSL_DHE_DSS_WITH_DES_CBC_SHA",\
"SSL_DHE_DSS_WITH_RC4_128_SHA",\
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",\
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"SSL_DHE_RSA_WITH_AES_128_CBC_SHA",\
"SSL_DHE_RSA_WITH_AES_256_CBC_SHA",\
"SSL_DHE_RSA_WITH_DES_CBC_SHA",\
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",\
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",\
"SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",\
"SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA",\
"SSL_RSA_WITH_DES_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",\
"TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",\
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",\
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"PCT_SSL_CIPHER_TYPE_1ST_HALF",\
"SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",\
"SSL_DH_anon_WITH_RC4_128_MD5",\
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",\
"SSL_RSA_WITH_RC4_128_MD5",\
"SSL_RSA_WITH_RC4_128_SHA",\
"SSL2_RC4_128_EXPORT40_WITH_MD5",\
"SSL2_RC4_128_WITH_MD5",\
"SSL2_RC4_64_WITH_MD5",\
"TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5",\
"TLS_DH_Anon_WITH_RC4_128_MD5",\
"TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",\
"TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256",\
"TLS_DHE_DSS_WITH_RC4_128_SHA",\
"TLS_DHE_DSS_WITH_RC4_128_SHA256",\
"TLS_DHE_PSK_WITH_RC4_128_SHA",\
"TLS_DHE_PSK_WITH_RC4_128_SHA256",\
"TLS_ECDH_Anon_WITH_RC4_128_SHA",\
"TLS_ECDH_Anon_WITH_RC4_128_SHA256",\
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA",\
"TLS_ECDH_ECDSA_WITH_RC4_128_SHA256",\
"TLS_ECDH_RSA_WITH_RC4_128_SHA",\
"TLS_ECDH_RSA_WITH_RC4_128_SHA256",\
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",\
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256",\
"TLS_ECDHE_PSK_WITH_RC4_128_SHA",\
"TLS_ECDHE_PSK_WITH_RC4_128_SHA256",\
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",\
"TLS_ECDHE_RSA_WITH_RC4_128_SHA256",\
"TLS_KRB5_EXPORT_WITH_RC4_40_MD5",\
"TLS_KRB5_EXPORT_WITH_RC4_40_SHA",\
"TLS_KRB5_EXPORT_WITH_RC4_40_SHA256",\
"TLS_KRB5_WITH_RC4_128_MD5",\
"TLS_KRB5_WITH_RC4_128_SHA",\
"TLS_KRB5_WITH_RC4_128_SHA256",\
"TLS_PSK_WITH_RC4_128_SHA",\
"TLS_PSK_WITH_RC4_128_SHA256",\
"TLS_RSA_EXPORT_WITH_RC4_40_MD5",\
"TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",\
"TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",\
"TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256",\
"TLS_RSA_PSK_WITH_RC4_128_SHA",\
"TLS_RSA_PSK_WITH_RC4_128_SHA256",\
"TLS_RSA_WITH_RC4_128_MD5",\
"TLS_RSA_WITH_RC4_128_SHA",\
"TLS_RSA_WITH_RC4_128_SHA256",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",\
".*3DES_EDE_CBC.*"\
]
org.apache.felix.http.path_exclusions=["/system"]
org.apache.felix.http.jetty.selectors=I"-1"
org.apache.felix.proxy.load.balancer.connection.enable=B"true"
org.eclipse.jetty.servlet.SessionDomain=""
org.apache.felix.https.jetty.renegotiateAllowed=B"false"
org.apache.felix.http.jetty.maxFormSize=I"204800"
org.apache.felix.http.jetty.sendServerHeader=B"false"
org.apache.felix.http.jetty.requestBufferSize=I"8192"
org.apache.felix.https.keystore.password="storepassword"
org.eclipse.jetty.servlet.SessionIdPathParameterName="jsessionid"
org.apache.felix.https.jetty.ciphersuites.included=[""]
org.apache.felix.http.mbeans=B"false"
org.apache.felix.http.host="0.0.0.0"
org.eclipse.jetty.servlet.SessionCookie="JSESSIONID"
org.eclipse.jetty.servlet.SessionPath=""
org.osgi.service.http.port.secure=I"54333"
org.apache.felix.https.jetty.session.cookie.httpOnly=B"true"
org.apache.felix.http.context_path="/"
org.apache.felix.https.enable=B"true"
org.apache.felix.https.keystore.key.password="key_password"
org.apache.felix.http.jetty.headerBufferSize=I"16384"
org.apache.felix.https.truststore=""
org.apache.felix.http.session.timeout=I"10"
org.eclipse.jetty.servlet.MaxAge=I"-1"
org.apache.felix.https.jetty.session.cookie.secure=B"false"
org.apache.felix.http.jetty.responseBufferSize=I"24576"

Questo prodotto è concesso in licenza in base alla licenza di Attribuzione-Non commerciale-Condividi allo stesso modo 3.0 Unported di Creative Commons.  I post su Twitter™ e Facebook non sono coperti dai termini di Creative Commons.

Note legali   |   Informativa sulla privacy online