技錄生活

了解行業(yè)最新資訊,把握市場(chǎng)動(dòng)態(tài)。

服務(wù)器禁用TLS1.0和TLS1.1協(xié)議使網(wǎng)站更安全

發(fā)布日期:2024-07-18; 點(diǎn)擊率:1744; 來(lái)源:太倉(cāng)蘇易

SSL/TLS 的版本

協(xié)議 發(fā)布時(shí)間 狀態(tài)
SSL 1.0 未公布 未公布
SSL 2.0 1995 年 已于 2011 年棄用
SSL 3.0 1996 年 已于 2015 年棄用
TLS 1.0 1999 年 計(jì)劃于 2020 年棄用
TLS 1.1 2006 年 計(jì)劃于 2020 年棄用
TLS 1.2 2008 年
TLS 1.3 2018 年

Nginx

  1. 通常Nginx的conf/nginx.conf配置如下
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
  1. 刪除TLS1.0 TLSv1.1、增加TLS1.3
    ssl_protocols TLSv1.2 TLSv1.3; 
  1. 重啟Nginx使配置生效
    nginx -s reload 

Apache

  1. 通常Apache的配置如下
    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2 

1-1. 基于RedHat的發(fā)行版(CentOS,F(xiàn)edora)配置文件/etc/httpd/conf/httpd.conf
1-2. 基于Debian的發(fā)行版(Ubuntu)配置文件/etc/apache2/sites-enabled/目錄下

  1. +TLSv1 +TLSv1.1、增加TLSv1.3
    SSLProtocol -ALL +TLSv1.2 +TLSv1.3 
  1. 重啟Apache使配置生效
    # 基于RedHat的發(fā)行版(CentOS,F(xiàn)edora)
 
systemctl restart httpd
# 基于Debian的發(fā)行版(Ubuntu)
 
service apache2 restart 


IIS服務(wù)器

  1. IIS服務(wù)器需使用官方工具(IISCrypto.exe )進(jìn)行修改


Tomcat

  1. 通常Tomcat的conf/server.xml配置如下
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
  1. 刪除+TLSv1 +TLSv1.1、增加TLS1.3
    SSLProtocol="TLSv1.2+TLSv1.3"
  1. 重啟Tomcat使配置生效
    # 關(guān)閉tomcat
 
bin/shutdown.sh 
# 啟動(dòng)tomcat
 
bin/startup.sh 
  • 注:以上服務(wù)器增TLS1.3需要依賴openSSL的版本以及IISJava的版本的支持


檢測(cè)

一、測(cè)試TLS1.0協(xié)議

openssl s_client -connect www.example.com:443 -tls1 < /dev/null
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported

Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session: Protocol : TLSv1
    Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1633685489 Timeout : 7200 (sec) Verify return code: 0 (ok) --- 
  • 注: 表示使用TLS1.0協(xié)議連接不通,說(shuō)明我們已經(jīng)禁用了TLS1.0

二、測(cè)試TLS1.2協(xié)議
openssl s_client -connect www.example.com:443 -tls1_2 < /dev/null

CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3

verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT --- Certificate chain 0 s:/CN=ztc.gzhuijiangyuan.com
   i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFMzCCBBugAwIBAgISA7VcG2st4Mb9oRuhffYzViI9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MzAxNTE5MjhaFw0yMTEyMjkxNTE5MjdaMCExHzAdBgNVBAMT
4C7vbju3QzFzUyiu8Y3Si2V5oJbzrhIlftqQUUTU2vmMO1lmQi/uD3IqOfZZ4VXL
dcOIHmUVDAzLOMa2brg8YXSQatARlhYDjC1T2aSPMxaKjKq84SHKw67PI6PGGE0u
uYYizdj0riGDsULplmX/u7pFcaw6WjH9lBAasJqxGwFAeJ7AyK2N4D+WPz+fefsw
IAaGUCj2G8pFoKl0N5DVzqgFIWwIxrfYYqS4ogqRUFsgZpcUuTj6 -----END CERTIFICATE----- subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=R3 --- No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4702 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: C617C1E0D6945124100508852C5249DFD8D67F9312104C55547887B9CFD903
    Session-ID-ctx: Master-Key: 3A0F9459A936B9DC12E7F60ACF67E4B7006D950494F10AE1192E37AD4A732BA3D072EB1E0B9F317710CEAB8FAA1
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - ca 53 6c fd 08 46 6e c4-3f 4f 25 43 70 22 c7 95 .Sl..Fn.?O%Cp".. 0010 - cb 45 ec fd 7c 1d 49 28-58 81 e0 4d c2 bd d1 7b .E..|.I(X..M...{ 0020 - 0c 23 42 0c c4 4d 58 f2-68 a7 0b a3 50 b0 ec e0 .#B..MX.h...P... 0030 - 7e 57 a1 6d 16 44 5b db-90 91 f1 2c 44 bf d9 78 ~W.m.D[....,D..x 0040 - c8 24 ea 0a e7 c6 55 b0-e2 42 6c 2c 49 7c 05 64 .$....U..Bl,I|.d 0050 - 33 91 48 9a a8 0f 97 8a-c7 06 4d ed 85 8b d2 48 3.H.......M....H
    00a0 - 8a 8c 90 1c 8f 21 1b ad-37 61 00 b1 b4 fd 49 7b .....!..7a....I{ Start Time: 1633686054 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) --- DONE 
  • 注: 表示使用TLS1.2協(xié)議連接通過(guò),說(shuō)明我們已經(jīng)禁用了TLS1.2


三、第三方評(píng)測(cè)網(wǎng)站

一、https://myssl.com


二、https://ssllabs.com/ssltest


上一篇企業(yè)網(wǎng)站建設(shè)標(biāo)準(zhǔn):提升用戶好感度與SEO優(yōu)化的關(guān)鍵

下一篇網(wǎng)站建設(shè)的最新趨勢(shì)和技術(shù)

返回頂部