我有一个全局的SSL选项文件,包含在每个服务器块中。
ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 ssl_dhparam /etc/letsencrypt/dhparam4096.pem; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; gzip off; 所以每台服务器都运行在TLSv1.2上,但是有一台服务器在TLSv1和TLSv1.1上运行。
但是,当我执行configuration与以下任一:
ssl_protocols TLSv1 TLSv1.1; include "above mentioned config file";
和
include "above mentioned config file"; ssl_protocols TLSv1 TLSv1.1;
但是在运行命令时:
nmap –script ssl-enum-ciphers -p 443
然后它只显示TLSv1.2,但不显示TLSv1和TLSv1.1。 有什么方法来覆盖ssl_protocols指令? 如果是这样,我可以移动包括http块?