今天發現具體是因為centos8系統自帶的openssl版本太高導致的。
在apache的配置文件/etc/httpd/conf.d/ssl.conf中啟用TLSv1.0。
啟用後IE8可以正常訪問https,但IE6默認情況下沒法訪問。IE6默認情況下只開啟了SSLv3,沒有開啟TLSv1.0,而CentOS8自帶的OpenSSL 1.1.1k不支持SSLv3。IE6隻有在Internet選項裏面勾選了TLS1.0才能訪問https網站。
打開apache配置文件/etc/httpd/conf.d/ssl.conf,將下面兩行
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
修改為
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
保存文件,用sudo systemctl restart httpd命令重啟apache伺服器,IE8就可以訪問https了。
提示:
(1)update-crypto-policies保持默認的「DEFAULT」狀態即可,不需要修改。
$ sudo update-crypto-policies --show
DEFAULT
(2)ssl.conf裏面下列兩行中的「-SSLv3」表示禁用SSLv3的意思。
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
如果改成「+SSLv3」就表示啟用SSLv3,但是CentOS8自帶的OpenSSL 1.1.1k不支持SSLv3,修改後apache無法啟動成功。
Apr 19 11:26:32 systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd.service has begun starting up.
Apr 19 11:26:32 httpd[366766]: AH00526: Syntax error on line 61 of /etc/httpd/conf.d/ssl.conf:
Apr 19 11:26:32 httpd[366766]: SSLv3 not supported by this version of OpenSSL
Apr 19 11:26:32 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 19 11:26:32 systemd[1]: httpd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit httpd.service has entered the 'failed' state with result 'exit-code'.
Apr 19 11:26:32 systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit httpd.service has failed.
--
-- The result is failed.
openssl命令的-ssl3選項也無法使用:
$ openssl s_client -connect localhost:443 -ssl3
s_client: Option unknown option -ssl3
s_client: Use -help for summary.
目前共有3篇帖子。
關於centos8自帶的apache2.4開啟https後,XP系統的IE8無法顯示網頁的問題
 |
|
|
這個方法只適用於CentOS 8,在CentOS 9裏面無效。
|
|
這個方法在Fedora 39中使用也無效。
|
