我在服务器上有一个网站(少数网站之一)。我正尝试提高我的域名的分数https://www.ssllabs.com/ssltest-但它似乎不起作用。
内容:
/etc/apache2/sites-available/<my-doamin>-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <my-doamin>
DocumentRoot /var/www/<my-doamin>
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!MD5:!RSA:!DES:!DSS:!RC4:!3DES:!ECDH:!ECDSA
ServerAdmin webadmin@<my-doamin>
SSLCertificateFile /etc/letsencrypt/live/<my-doamin>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my-doamin>/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
以下是 SSL 测试截图中的分数
:
还可以从外部源运行此命令:
openssl s_client -connect <my-domain>:443 -tls1
我明白了:
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = <my-domain>
verify return:1
405765AEA07F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:../ssl/statem/statem_clnt.c:2254:
CONNECTED(00000003)
---
Certificate chain
0 s:CN = <my-domain>
i:C = US, O = Let's Encrypt, CN = E1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jan 29 03:26:59 2024 GMT; NotAfter: Apr 28 03:26:58 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = E1
i:C = US, O = Internet Security Research Group, CN = ISRG Root X2
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X2
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDhzCCAw6gAwIBAgISBKR91GClJ2JyCdcF4wDKc+DMMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yNDAxMjkwMzI2NTlaFw0yNDA0MjgwMzI2NThaMBcxFTATBgNVBAMTDGJs
dWUtdGVhbS5jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL/AThKeow/xORC6
o0q7YkIwiTULx+qAvFi1C9SO+qc5wAtE58fo+1n8kACySqKU5J5/slVDa60Eck/J
ii4knaWjggIdMIICGTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGrmg7iCgUtO6awO
Z4XpaJp/RQoDMB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CDiou
Ymx1ZS10ZWFtLmNhggxibHVeLXRlYW0uY2EwEwYDVR0gBAwwCjAIBgZngQwBAgEw
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBIsONr2qZHNA/lagL6nTDrHFIBy1bd
LIHZu7+rOdiEcwAAAY1TeHawAAAEAwBGMEQCIBz+Z+XIW0FFXQ2xI5kqzT9V8iPU
IyNo5t896Z4Q4u33AiBvfinhTQhte4V/rNkw7lJg3j7Hdw0WiRi3nqc9ZWQFvQB2
ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABjVN4dq8AAAQDAEcw
RQIgMcN+qbAoU9TL7CaNb2tdVaJTxlNaKIZe8oR3vF10OT4CIQDKk/L35P/N8fp4
/r77fD/MyHKbdkubxeTkgUSXwHAmjzAKBggqhkjOPQQDAwNnADBkAjBPHSAIZKq5
VjaMkh4v6dp3GhEmodkVkJEV27Y5xA/JElNnDk7hI1HSvWCN9MEU+pcCMF/keTxj
H99ZByK8kWn9QWEm8JHXtCvgqDe74LLWF0GGDHuTaTa85y6nJ7N7EFsdJA==
-----END CERTIFICATE-----
subject=CN = <my-domain>
issuer=C = US, O = Let's Encrypt, CN = E1
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4340 bytes and written 132 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1711398075
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
内容/etc/letsencrypt/options-ssl-apache.conf
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common