TLS 1.0 已过时。启用 TLS 1.2 或更高版本。nginx

TLS 1.0 已过时。启用 TLS 1.2 或更高版本。nginx

/etc/nginx/sites-enabled/example_com我在域下有以下 nginx 配置example.com

server {

    server_name example.com;

    location / {
         proxy_set_header   X-Forwarded-For $remote_addr;
         proxy_set_header   Host $http_host;
         proxy_pass         "http://127.0.0.1:3010";
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header X-Request-Port '80';
         proxy_cache_bypass $http_upgrade;
     }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
   
    ssl_protocols TLSv1.2;
}server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com;
    return 404; # managed by Certbot
}

当我使用example.comChrome 时,我在安全选项卡中收到以下消息:

This page is not secure (broken HTTPS).
Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_SSL_OBSOLETE_VERSION).

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA with P-256, and AES_256_CBC with HMAC-SHA1.
TLS 1.0 is obsolete. Enable TLS 1.2 or later.
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.

我已经做了什么:

  • nginx -t
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
  • sudo service nginx restartsudo service nginx reload`
  • 已检查/var/log/nginx/error.log-> 访问域名时也没有错误
  • 域名指向正确的服务器 IP 地址。事实上,如果我禁用 SSL,它就会按预期工作

知道为什么当我仅TLSv1.2启用它时它却告诉我使用 TLSv1 吗?

编辑:

在......之外nginx -T


http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

# configuration file /etc/nginx/sites-enabled/example_com:
server {

    server_name example.com;

    location / {
         proxy_set_header   X-Forwarded-For $remote_addr;
         proxy_set_header   Host $http_host;
         proxy_pass         "http://127.0.0.1:3010";
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header X-Request-Port '80';
         proxy_cache_bypass $http_upgrade;
     }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    ssl_protocols TLSv1.2;
}server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com
    return 404; # managed by Certbot
}

编辑2:我已经更新了 nginx 的 HTTP 部分,ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE但仍然遇到同样的问题。

编辑 3(新配置):

# configuration file /etc/nginx/sites-enabled/example_com:
server {

    server_name example.com;

    location / {
         proxy_set_header   X-Forwarded-For $remote_addr;
         proxy_set_header   Host $http_host;
         proxy_pass         "http://127.0.0.1:3010";
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header X-Request-Port '80';
         proxy_cache_bypass $http_upgrade;
     }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:SSL:1m; 
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
      ssl_protocols TLSv1.2;
      ssl_dhparam /home/ubuntu/dhparams.pem;
}server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com;
    return 404; # managed by Certbot


}

附加信息:OpenSSL 版本:OpenSSL 1.0.2g 2016 年 3 月 1 日

答案1

今天突然就好了。我没有做任何更改。可能是缓存问题。我不确定,因为我已经多次清除浏览器缓存,并尝试使用隐身模式和 Firefox。我想解决这个问题的方法是仔细检查 nginx 配置的“HTTP”部分,以避免不必要的覆盖。

相关内容