nginx 安全 TLS 配置导致 SSL_ERROR_NO_CYPHER_OVERLAP

nginx 安全 TLS 配置导致 SSL_ERROR_NO_CYPHER_OVERLAP

我遵循 2018 年 1 月的指南来强化我的 nginx 1.10.3 TLS 配置。

现在我进入SSL_ERROR_NO_CYPHER_OVERLAPFirefox 66.0.1 和https://www.ssllabs.com/ssltestAssessment failed: Failed to communicate with the secure server

这是当前配置。 nginx -t成功。

server {
    listen 80;
    listen [::]:80;
    server_name domain.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.tld;
    root /var/www/domain.tld;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;        
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

    server_tokens off;

    location / {
        try_files $uri $uri/ =404;
    }
}

答案1

关于您的证书,我一无所知,但我猜您使用的是 RSA 证书,因为这仍然是最常见的证书。只是,您的密码都是 *-ECDSA-* 密码,需要 ECC 证书。

我建议你不要自己想出安全方案,也不要不明白这到底有多安全,以及会产生什么副作用,而是直接使用推荐的设置,就像Mozilla SSL 配置生成器

相关内容