nginx禁用3DES和DES弱加密算法,保证SSL证书安全 SSL/TLS协议信息泄露漏洞(CVE-2016-2183)
cp -r nginx-1.19.2 ./nginx-1.19.2.bak
查看完旧版本信息可以执行如下命令,给旧版本改个名
mv ./nginx ./nginx.old
漏洞名称
SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】
详细描述
TLS是安全传输层协议,用于在两个通信应用程序之间提供保密性和数据完整性。
TLS, SSH, IPSec协商及其他产品中使用的DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界,这可使远程攻击者通过Sweet32攻击,获取纯文本数据。
{
listen 80;
listen 443 ssl https2;
#使用HTTP/2,需要Nginx1.9.7以上的版本
ssl on;
server_name http://ykqi.cn www.ykqi.cn;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/dist/ykqi;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
add_header X-Frame-Options DENY;
#禁止被嵌入框架
add_header X-Content-Type-Options nosniff;
#防止在IE9、Chrome和Safari中的MIME类型混淆攻击
ssl_certificate /www/server/panel/vhost/ssl/1_ykqi_bundle.crt;
ssl_certificate_key /www/server/panel/vhost/ssl/2_ykqi.key;
#SSL证书文件位置
ssl_dhparam /www/server/panel/vhost/ssl/dhparam.pem;
#DH-Key交换**文件位置
#SSL优化配置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#只允许TLS协议
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
或者
我的选择
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;
#加密套件,这里用了CloudFlares Internet facing SSL cipher configuration
ssl_prefer_server_ciphers on;
.......此处省略
配置完重新启动Nginx!
通过命令: nmap -sV --script ssl-enum-ciphers -p 443 www.example.com
可得:
Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-08 14:51 CST
Nmap scan report for 127.0.0.1
Host is up (0.035s latency).
PORT STATE SERVICE VERSION
443/tcp open http nginx 1.19.10
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - broken
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
| TLS_ECDH_anon_WITH_RC4_128_SHA - broken
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds
结果中weak(柔弱的)、broken(损坏的)、strong(坚固的)字段表示加密强度,为了安全需要将128位以下弱加密算法禁用,Nginx 配置 SSL需明确指定算法:
重启是nginx.conf
配置生效
nginx -s reload