我有一台 Apache/2.4.18 服务器,带有 OpenSSL/1.0.1s。我使用了 Mozilla SSL 配置生成器 生成 SSL 配置:
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSL 实验室测试给出以下消息:
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
The server does not support Forward Secrecy with the reference browsers.
此外,在“握手模拟”中它会给出以下消息:
Apple ATS 9 / iOS 9 R Server sent fatal alert: handshake_failure
我该如何摆脱这些,特别是最后一个,以便 iOS 9 用户可以轻松连接?
谢谢!
答案1
首先,您应该获得一个 SHA2 证书,因为 Chrome 需要它。
你的 SSL 配置应如下所示:
Listen 443
SSLEngine on
SSLPassPhraseDialog builtin
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:!MEDIUM:!LOW:!MD5:!DES
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCACertificateFile /path/to/cacert
您可以选择添加这些以获得额外的安全性:
Header always append X-Frame-Options SAMEORIGIN
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set X-ServerId 1
遵守密码套件的顺序不是强制性的。
答案2
我建议使用以下工具测试你的网站: https://www.ssllabs.com/ssltest/ https://ssl-tools.net/
它们将为你提供关于你的服务器是否设置正确的重要信息,并提供改进方法的链接