我有一个专用的 CentOS Web 服务器(使用 Plesk 12),我正在尝试禁用 SSL 3。
我到处尝试禁用 SSL 3,并尝试应用其他帖子中详述的修复方法,但当我重新测试时(使用https://www.ssllabs.com/ssltest/analyze.html?d) 服务器仍然显示 SSL 3 可用。
我去过我的服务器供应商,但他们根本没有提供任何帮助。
有人能给我指明正确的方向吗?
我的 /etc/nginx/nginx.conf 文件如下所示
#user nginx;
worker_processes 1;
#error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
#pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#tcp_nodelay on;
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain image/svg+xml text/css application/json application/x$
gzip_buffers 16 8k;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
server_tokens off;
include /etc/nginx/conf.d/*.conf;
server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH$
ssl_prefer_server_ciphers on;
}
}
应用上述操作后,我重新启动了服务 sudo service nginx restart
我将不胜感激任何帮助。
答案1
我强烈建议您使用 Mozilla SSL 配置工具这里。
他们使其保持更新,它涵盖了 Apache 和 Nginx,并向您展示了所有的参数。
以下是我自己的默认站点配置的摘录:
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
server_name ubuntu;
# ---- SSL Configuration - Use http://mozilla.github.io/server-side-tls/ssl-config-generator/ to update ---- #
# Includes PFS, Cert Pinning, SPDY
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# Generate with: cd /etc/ssl/certs && sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
#ssl_stapling on;
#ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#For StartSSL goto ‘Toolbox’ and ‘StartCom CA Certificates’ and is called ‘Server Certificate Bundle with CRLs’.
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
#resolver 8.8.8.8;
# ---- End of SSL Config ---- #
请注意,我没有启用 OCSP 装订,因为这是从在 VirtualBox 客户机上运行的本地开发服务器获取的,因此它只有自签名证书。
答案2
感谢大家的评论。我终于找到了解决方案
http://forum.sp.parallels.com/threads/ssl-poodle-sslv3-bug.323338/
首先我要感谢 UFHH01 提供的解决方案,我们的暴露问题暂时解决了!希望您不介意,我已将以下所有步骤整理出来:
更新:确保您使用的模板目录正确。“/opt/psa/admin/conf/templates/default”与“/usr/local/psa/admin/conf/templates/custom/”不同,这可能是发行版特有的,或者是其中一个的拼写错误……对我来说,我使用的是/usr/local/psa/admin/conf/templates/custom/
确保您首先运行以下命令:
cd /etc/nginx/openssl dhparam -out dhparam.pem 4096
喝杯咖啡,这需要一段时间....[电梯音乐]当它完成时你应该回到shell提示符。
更新:如果目录 /usr/local/psa/admin/conf/templates/custom/ 不存在,则创建该目录。将文件复制到自定义模板时,请确保使用相同的目录结构,并且只复制要编辑的文件。
命令:
mkdir /usr/local/psa/admin/conf/templates/custom cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/ cp /usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php /usr/local/psa/admin/conf/templates/custom/server/ cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/ cd /usr/local/psa/admin/conf/templates/custom/
对位于 /usr/local/psa/admin/conf/templates/custom/ 的以下文件进行以下代码更改
“nginxWebmailPartial.php” “服务器/nginxVhosts.php” “域/nginxDomainVirtualHost.php”
代码:
ssl_session_timeout 5m; ssl_session_cache共享:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; ssl_prefer_server_ciphers 开启; ssl_dhparam /etc/nginx/dhparam.pem;
完成更改后,请务必:
/usr/local/psa/admin/bin/httpdmng --reconfigure-all 服务 httpd 重新启动 服务 nginx 重新启动
答案3
您可以将其设为默认设置:
ssl_协议 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 全部:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH;
为了禁用对 SSLv3(poodle vunerablity)的支持,您必须在密码中添加 -SSLv3,并且仅在协议中使用 TLS 选项,就像我在上面给您的确切示例中提到的那样,在您的服务器块中使用。
执行此操作后,您可以通过访问以下网址来检查它是否有效:https://www.poodlescan.com/
希望有帮助