Oracle HTTP Server (OHS) Apache2.2.13 Poodle SSLv3修复？

Question

我通过apache服务器的ssl.conf文件中的"SSLProtocol All -SSLv2 -SSLv3“为apache应用了POODLE修复，但通过"SSLVerifyClient require”遇到了CAC客户端身份验证问题。我已经确认如果我设置了"SSLVerifyClient none“，我们的web应用程序可以通过https访问，并使用正确的TLSv1协议，但是一旦我设置了"SSLVerifyClient require”(这是必需的，因为我们的web应用程序启用了SSLVerifyClient)，我得到一个页面无法在IE中显示(IE禁用了SSLv2和SSLv3 )。我认为在SSLVerifyClient阶段，它正在与SSLv3重新谈判。有人知道如何在Oracle HTTP Server (OHS) Apache 2.2.13上修复这个问题吗？？

下面是我的ssl.conf文件的一个片段：

###################################################################
# Oracle HTTP Server mod_ossl configuration file: ssl.conf        #
###################################################################


# OHS Listen Port
Listen 443

<IfModule ossl_module>
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
    SSLSessionCache "shmcb:${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/ssl_scache(512000)"
    SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
    <IfModule mpm_winnt_module>
      SSLMutex "none"
    </IfModule>
    <IfModule !mpm_winnt_module>
      SSLMutex pthread
    </IfModule>

##
## SSL Virtual Host Context
##
<VirtualHost *:443>
#    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/asset"
    DirectoryIndex remagnum.html
    ServerName TTSDS09083.TIMPO.OSD.MIL
#    ServerAlias www.dummy-host.example.com

  <IfModule ossl_module>

   #  SSL Engine Switch:
   #  Enable/Disable SSL for this virtual host.
   SSLEngine on

   #  SSL Cipher Suite:
   #  List the ciphers that the client is permitted to negotiate.
   #SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

   SSLCipherSuite SSL_RSA_WITH_AES_128_CBC_SHA

   SSLProtocol All -SSLv2 -SSLv3


   #  Client Authentication (Type):
   #  Client certificate verification type and depth.  Types are
   #  none, optional and require.
   #SSLVerifyClient none
   SSLVerifyClient require

   # SSL Certificate Revocation List Check
   # Valid values are On and Off
   SSLCRLCheck Off

   #Path to the wallet
   SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars +ExportCertData

   </FilesMatch>

   <Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/cgi-bin">
      SSLOptions +StdEnvVars +ExportCertData

   </Directory>

   BrowserMatch ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0

  </IfModule>
</VirtualHost>

</IfModule>

Answer 1

你有没有试着删除不推荐使用的浏览器的BrowserMatch？

#BrowserMatch ".*MSIE.*" \
#   nokeepalive ssl-unclean-shutdown \
#   downgrade-1.0 force-response-1.0

还有来自httpd.conf的

#BrowserMatch "Mozilla/2" nokeepalive
#BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

参考：http://blogs.msdn.com/b/ieinternals/archive/2011/03/26/https-and-connection-close-is-your-apache-modssl-server-configuration-set-to-slow.aspx