TLS v1 在 nginx 配置中启用,但不起作用且证书不可用

TLS v1 在 nginx 配置中启用,但不起作用且证书不可用

我有一台 Ubuntu 18.04.1 服务器,在 Digital Ocean 上运行 PHP 5.6 和 Forge。我正在尝试为网站启用 TLSv1 和 TLSv1.1。因此,我编辑了我的 NGINX 配置以包含它们:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

重新启动 NGINX 并进行检查:

openssl s_client -host mydomain.co.uk -port 443 -tls1

返回:

no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1537432315
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

因此,我尝试在 Forge 中使用 Let's Encrypt 创建一个新证书并激活它,重新启动 NGINX 并再次检查,结果返回了相同的响应。

有什么想法吗?我不确定我缺少什么才能让它工作起来。

编辑:完整的 NGINX 配置:

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.mydomain.co.uk/before/*;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.mydomain.co.uk;
    root /home/forge/www.mydomain.co.uk/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/www.mydomain.co.uk/414422/server.crt;
    ssl_certificate_key /etc/nginx/ssl/www.mydomain.co.uk/414422/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers LONG-CIPHER-IS-HERE;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/www.mydomain.co.uk/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/www.mydomain.co.uk-error.log error;

    #error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }
}

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/www.mydomain.co.uk/after/*;

答案1

据我所知,HTTP/2 仅使用 TLS1.2 及以上版本。您可以在相关RFC 7540

答案2

所以这是由于使用了密码。请在此处查看答案:https://stackoverflow.com/questions/47953440/how-to-enable-back-tlsv1-and-tlsv1-1-on-nginx

我用的是Mozilla SSL 配置生成器创建正确的密码,并测试它SSL 实验室

答案3

您必须将服务器配置为使用 TLS1.2 协议你的 nginx 的所有虚拟主机

例如:

http 部分:

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_stapling on;
resolver 8.8.8.8;

服务器部分:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_tickets off;
ssl_certificate SSL_Certificate.crt;
ssl_certificate_key private.key;
add_header Strict-Transport-Security "max-age=31536000";

相关内容