TLS 1.0 enabled 漏洞

lighttpd服务使用Acunetix漏扫

TLS 1.0 enabled
Severity Medium
Reported by module /Scripts/PerServer/SSL_Audit.script
Description
The web server supports encryption through TLS 1.0. TLS 1.0 is not considered to be "strong cryptography" as defined and
required by the PCI Data Security Standard 3.2(.1) when used to protect sensitive information transferred to or from web
sites. According to PCI, "30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure
encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard
(PCI DSS) for safeguarding payment data.
Impact
An attacker may be able to exploit this problem to conduct man-in-the-middle attacks and decrypt communications between
the affected service and clients.
Recommendation
It is recommended to disable TLS 1.0 and replace it with TLS 1.2 or higher.
References
Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS (https://blog.pcisecuritystandards.org/are-you-readyfor-
30-june-2018-sayin-goodbye-to-ssl-early-tls)
PCI 3.1 and TLS 1.2 (Cloudflare Support) (https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-
2)
Affected items
Web Server
Details
The SSL server (port: 8443) encrypts traffic using TLSv1.0.
Request headers

解决方法

在lighttpd配置文件中添加
ssl.cipher-list = "TLSv1.2"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
主要是第一个。