配置 Nginx SSL禁用弱加密算法

jed , 2022-1-20 15:21 , 服务器技术 , 评论(0) , 阅读(1265) , Via 本站原创

通过命令： nmap -sV --script ssl-enum-ciphers -p 443 www.example.com 可得：

Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-08 14:51 CST
Nmap scan report for 127.0.0.1
Host is up (0.035s latency).
PORT    STATE SERVICE VERSION
443/tcp open  http    nginx 1.19.10
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_RC4_128_SHA - broken
|       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

结果中weak(柔弱的)、broken(损坏的)、strong(坚固的)字段表示加密强度，为了安全需要将128位以下弱加密算法禁用，Nginx 配置 SSL需明确指定算法：

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;

重启是nginx.conf配置生效

nginx -s reload

seafile