无法为 nginx 禁用 tls 1.1

tag-icon tag-icon linux nginx centos6 openssl
无法为 nginx 禁用 tls 1.1

花了好几个小时,但还是没能修复。我无法禁用 TLS 1.1。这对于使用 Stripe 或任何其他 CC 网关来构建我的基于 Wordpress Woocommerce 的商店是必需的。

域名:russianphilately.com

CentOS 6

前面:nginx,后面:apache。

nginx 版本:nginx/1.4.1 OpenSSL 1.0.2p

Nginx 监听服务器上所有 IP 的 80 和 443 端口。默认 nginx 配置文件中 443 部分为空,但有监听所有 IP 的 80 和 443 端口的记录。

虚拟主机 nginx 配置文件是:

<pre>
<code>
server {
listen 149.56.235.139:80;
server_name russianphilately.com www.russianphilately.com;
return 301 https://$host$request_uri;
}
server {
#listen 149.56.235.139:80;
listen 149.56.235.139:443 default_server ssl;
server_name russianphilately.com www.russianphilately.com;
root /home/httpd/vhosts/russianphilately.com/httpdocs;

ssl_certificate    /etc/nginx/ssl/russianphilately.com_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/russianphilately.com.key;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_session_cache    shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam dhparam.pem;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-
RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:EC
DHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES
256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA25
6:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:D
HE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA
256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-G
CM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RS
A-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC
3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA
256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGT
H";
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA2
56:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH
";
#ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-
RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:EC
DHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-
RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:EC
DHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_ecdh_curve secp384r1;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; always";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
gzip_vary on;

location / {
proxy_pass http://127.0.0.1:8080/;
#fastcgi_param  HTTPS on;
fastcgi_param SERVER_PORT 80;
#proxy_redirect http://localhost:8000/zemstvo/ http://russianphilately.com/c/zemstvo/;
rewrite ^/?zemstvo/a-c/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?zemstvo/a-c/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?zemstvo/d-k/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?zemstvo/l-o/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?zemstvo/p-s/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?zemstvo/t-z/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?zemstvo/(.*)$ /c/zemstvo/$1 redirect;
rewrite ^/?empire-1857-1917/(.*)$ /c/empire-1857-1917/$1 redirect;
rewrite ^/?ussr-1923-1940/(.*)$ /c/ussr-1923-1940/$1 redirect;
rewrite ^/?ukraine/(.*)$ /c/ukraine/$1 redirect;
rewrite ^/?civil-war/(.*)$ /c/civil-war/$1 redirect;
#rewrite ^/(.*)/$ /$1 permanent;
}

location ~ /\.ht {
deny all;
}

location ~* \.(gif|jpg|png|js|css|ico)$ {
expires 30d;
access_log  /home/httpd/vhosts/russianphilately.com/logs/static_access_log;
}
#if ( $request_filename ~ russianphilately.com/zemstvo/ ) {
#rewrite ^ http://russianphilately.com/c/zemstvo/? permanent;
#}
#if ( $request_uri ~ russianphilately.com/zemstvo/.+ ) {
#rewrite ^(.*) http://russianphilately.com/c/zemstvo/$1 permanent;
#}
#location ^~ /zemstvo/(.*) {
#  return 301 $scheme://$http_host/c/zemstvo/$1$is_args$query_string;
#  }



}

</code>
</pre>

该 IP 上只有此网站在运行,因此没有其他人使用它。所有虚拟主机配置仅包含 ssl_protocols TLSv1.2。任何其他协议的记录都会从 nginx 甚至 apache 配置中删除。

服务和服务器已重启多次,但 TLSv1.1 仍然可用。ssltest.com 显示 #TLS 1.1 的密码套件(并显示此配置中未列出的密码!)并说

TLS 1.3 否 TLS 1.2 是 TLS 1.1 是 TLS 1.0 否

    # TLS 1.1 (suites in server-preferred order)
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 4096 bits   FS 256
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK  256
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 4096 bits   FS    256
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK  128
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 4096 bits   FS 128
    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 4096 bits   FS    128
    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK 128
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK  112
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 4096 bits   FS   WEAK 112

Chrome 提示:连接 - 过时的连接设置与该站点的连接使用 TLS 1.2(强协议)、RSA(过时的密钥交换)和 AES_256_GCM(强密码)。

我不知道在哪里可以搜索 tls 1.1 配置以及如何修复它...感谢您的帮助!

[root@ks4002647 ~]# grep -ri "TLSv1.1" /etc/nginx [root@ks4002647 ~]#

[root@ks4002647 ~]# grep -ri "TLSv1.1" /etc Binary file /etc/httpd/modules/libphp5.so matches Binary file /etc/httpd/modules/mod_ssl.so matches Binary file /etc/httpd/modules/libphp5-zts.so matches /etc/httpd/conf.d/ssl.conf:SSLProtocol TLSv1.2 -TLSv1.1

答案1

有一次我欺骗了自己

SSL Labs 网站上的测试结果已被缓存,因此当您再次运行测试时,请确保单击结果页面上的“清除缓存”以开始新的实际测试。

在此处输入图片描述

包括

您的配置看起来不错。但是我们看不到server配置的完整部分,因此可能是某些外部包含文件覆盖了您的 SSL 配置。例如,certbot在使用 nginx 自动配置开关安装 Let's Encrypt 证书时插入的文件:include /etc/letsencrypt/options-ssl-nginx.conf。请确保注释掉该包含文件。

Grep

如果以上方法均无帮助,则使用 搜索配置文件TLSv1.1

grep -ri "TLSv1.1" /etc/nginx

相关内容