我有一个专用的CentOS Web服务器(与Plesk 12),我正在尝试禁用SSL 3。
我到处都试图禁用SSL 3,并试图在其他post中详细应用此修复程序,但是当我重新testing(使用https://www.ssllabs.com/ssltest/analyze.html?d )服务器时,它仍显示SSL 3可用。
我去过我的服务器供应商,他们一点都没帮忙。
有人能指出我正确的方向吗?
我的/etc/nginx/nginx.conf文件看起来像
#user nginx; worker_processes 1; #error_log /var/log/nginx/error.log; #error_log /var/log/nginx/error.log notice; #error_log /var/log/nginx/error.log info; #pid /var/run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #tcp_nodelay on; gzip on; gzip_http_version 1.1; gzip_vary on; gzip_comp_level 6; gzip_proxied any; gzip_types text/plain image/svg+xml text/css application/json application/x$ gzip_buffers 16 8k; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; server_tokens off; include /etc/nginx/conf.d/*.conf; server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH$ ssl_prefer_server_ciphers on; } } 我应用以上我已经重新启动服务与sudo service nginx restart
我将不胜感激任何帮助。
我强烈build议您使用这里find的Mozilla SSLconfiguration工具。
它们保持最新,它涵盖了Apache和Nginx,它显示了所有的参数。
以下是我自己的默认站点configuration的摘录:
listen 443 ssl; listen [::]:443 ssl ipv6only=on; server_name ubuntu; # ---- SSL Configuration - Use http://mozilla.github.io/server-side-tls/ssl-config-generator/ to update ---- # # Includes PFS, Cert Pinning, SPDY # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # Generate with: cd /etc/ssl/certs && sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 ssl_dhparam /etc/nginx/ssl/dhparam.pem; # modern configuration. tweak to your needs. ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; # HSTS add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them #ssl_stapling on; #ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs #For StartSSL goto 'Toolbox' and 'StartCom CA Certificates' and is called 'Server Certificate Bundle with CRLs'. #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; #resolver 8.8.8.8; # ---- End of SSL Config ---- #
请注意,我没有启用OCSP装订,因为这是从在VirtualBox客户机上运行的本地开发服务器获取的,因此它只有一个自签名证书。
感谢所有的评论。 我终于find了一个解决scheme
http://forum.sp.parallels.com/threads/ssl-poodle-sslv3-bug.323338/
首先我要感谢UFHH01提供的解决scheme,我们的曝光已经解决了! 希望您不要介意,我已经汇编了以下所有步骤:
更新:确保您使用正确的模板目录。 “/ opt / psa / admin / conf / templates / default”与“/ usr / local / psa / admin / conf / templates / custom /”不一样,这可能是distro特定的,或者是打字错误。 ..我用/ usr / local / psa / admin / conf / templates / custom /
确保你先运行这些命令:
cd / etc / nginx / openssl dhparam -out dhparam.pem 4096
抓一杯咖啡,这将是一段时间…. [电梯音乐]当它完成后,你应该回到壳提示。
更新:如果目录不存在,则将目录设置为/ usr / local / psa / admin / conf / templates / custom /。 将文件复制到自定义模板时,请确保您使用的是相同的目录结构,并且只复制要编辑的文件。
命令:
/ usr / local / psa / admin / conf / templates / custom / cp /usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php / usr / local / psa / admin / conf / templates / custom / server / cp / usr / local / psa / admin / conf / templates /default/domain/nginxDomainVirtualHost.php / usr / local / psa / admin / conf / templates / custom / domain / cd / usr / local / psa / admin / conf / templates / custom /
对以下位于/ usr / local / psa / admin / conf / templates / custom /
“nginxWebmailPartial.php”“server / nginxVhosts.php”“domain / nginxDomainVirtualHost.php”
码:
ssl_session_timeout 5m; ssl_session_cache共享:SSL:50米;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers“EECDH + ECDSA + AESGCM EECDH + aRSA + AESGCM EECDH + ECDSA + SHA384 EECDH + ECDSA + SHA256 EECDH + aRSA + SHA384 EECDH + aRSA + SHA256 EECDH + aRSA + RC4 EECDH EDH + aRSA RC4!aNULL!eNULL!LOW!3DES !MD5!EXP!PSK!SRP!DSS“; ssl_prefer_server_ciphers; ssl_dhparam /etc/nginx/dhparam.pem;
更改完成后,请务必:
/ usr / local / psa / admin / bin / httpdmng –reconfigure-all服务httpd restart服务nginx restart
您可以通过将其设置为默认值来完成此操作:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:RC4 + RSA:+ HIGH:+ MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH;
为了禁用对SSLv3(poodle vunerablity)的支持,您必须将SSLv3添加到您的密码中,以及仅在您的协议中使用TLS选项,就像我在上面给出的确切示例中提到的在您的服务器块中使用的那样。
当你这样做,你可以通过访问https://www.poodlescan.com/查看它是否工作。
希望有所帮助