我有一个设备正在尝试连接,并Client Hello从 Wireshark 捕获以下内容:
看起来它支持的唯一密码套件是ECDHE-ECDSA-AES128-GCM-SHA256,因此我正尝试使用来启用它nginx。
events {
}
http {
server {
listen 443 ssl;
ssl_certificate /etc/nginx/certs/nginx.crt;
ssl_certificate_key /etc/nginx/certs/nginx.key;
server_name xxx.yyy.zzz;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256';
}
}
nginx使用该配置运行时没有出现错误:
$ docker run -p 443:443 -v (pwd):/etc/nginx/certs -v (pwd)/nginx.conf:/etc/nginx/nginx.conf nginx
但是,支持的密码列表返回空sslscan:
$ sslscan localhost
Version: 1.11.12-static
OpenSSL 1.0.2f 28 Jan 2016
ERROR: Could not open a connection to host localhost (::1) on port 443.
Connected to 127.0.0.1
Testing SSL server localhost on port 443 using SNI name localhost
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
$
我不是运维人员,所以不熟悉如何设置服务器。我只需要让这个 IoT 设备连接到我的服务器。
那么,如何使用ECDHE-ECDSA-AES128-GCM-SHA256nginx 启用密码套件?
答案1
您可以使用以下方式查看可用的 ssl_ciphers:
openssl ciphers
为了获得更加“眼睛友好”的输出,请尝试:
openssl ciphers | egrep --color 'ECDHE-ECDSA-AES128-GCM-SHA256'
检查您想要的密码是否可用于 nginx。