技錄生活
了解行業(yè)最新資訊��,把握市場動態(tài)。
服務(wù)器禁用TLS1.0和TLS1.1協(xié)議使網(wǎng)站更安全
發(fā)布日期:2024-07-18���; 點(diǎn)擊率:1508�; 來源:太倉蘇易
SSL/TLS 的版本
|
協(xié)議
|
發(fā)布時(shí)間
|
狀態(tài)
|
|
SSL 1.0
|
未公布
|
未公布
|
|
SSL 2.0
|
1995 年
|
已于 2011 年棄用
|
|
SSL 3.0
|
1996 年
|
已于 2015 年棄用
|
|
TLS 1.0
|
1999 年
|
計(jì)劃于 2020 年棄用
|
|
TLS 1.1
|
2006 年
|
計(jì)劃于 2020 年棄用
|
|
TLS 1.2
|
2008 年
|
|
|
TLS 1.3
|
2018 年
|
|
Nginx
-
通常Nginx的
conf/nginx.conf配置如下
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
刪除
TLS1.0 TLSv1.1����、增加TLS1.3
ssl_protocols TLSv1.2 TLSv1.3;
-
重啟Nginx使配置生效
nginx -s reload
Apache
-
通常Apache的配置如下
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
1-1. 基于RedHat的發(fā)行版(CentOS,F(xiàn)edora)配置文件/etc/httpd/conf/httpd.conf
1-2. 基于Debian的發(fā)行版(Ubuntu)配置文件/etc/apache2/sites-enabled/目錄下
-
除
+TLSv1 +TLSv1.1�����、增加TLSv1.3
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
-
重啟Apache使配置生效
# 基于RedHat的發(fā)行版(CentOS�,F(xiàn)edora)
# 基于Debian的發(fā)行版(Ubuntu)
IIS服務(wù)器
-
IIS服務(wù)器需使用官方工具(IISCrypto.exe )進(jìn)行修改
Tomcat
-
通常Tomcat的
conf/server.xml配置如下
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
-
刪除
+TLSv1 +TLSv1.1、增加TLS1.3
SSLProtocol="TLSv1.2+TLSv1.3"
-
重啟Tomcat使配置生效
# 關(guān)閉tomcat
bin/shutdown.sh
# 啟動tomcat
-
注:以上服務(wù)器增TLS1.3需要依賴openSSL的版本以及IIS和Java的版本的支持
檢測
一�����、測試TLS1.0協(xié)議
openssl s_client -connect www.example.com:443 -tls1 < /dev/null
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session: Protocol : TLSv1
Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1633685489 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
-
注: 表示使用TLS1.0協(xié)議連接不通��,說明我們已經(jīng)禁用了TLS1.0
二、測試TLS1.2協(xié)議
openssl s_client -connect www.example.com:443 -tls1_2 < /dev/null
CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT --- Certificate chain 0 s:/CN=ztc.gzhuijiangyuan.com
i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFMzCCBBugAwIBAgISA7VcG2st4Mb9oRuhffYzViI9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MzAxNTE5MjhaFw0yMTEyMjkxNTE5MjdaMCExHzAdBgNVBAMT
4C7vbju3QzFzUyiu8Y3Si2V5oJbzrhIlftqQUUTU2vmMO1lmQi/uD3IqOfZZ4VXL
dcOIHmUVDAzLOMa2brg8YXSQatARlhYDjC1T2aSPMxaKjKq84SHKw67PI6PGGE0u
uYYizdj0riGDsULplmX/u7pFcaw6WjH9lBAasJqxGwFAeJ7AyK2N4D+WPz+fefsw
IAaGUCj2G8pFoKl0N5DVzqgFIWwIxrfYYqS4ogqRUFsgZpcUuTj6 -----END CERTIFICATE----- subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=R3 --- No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4702 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: C617C1E0D6945124100508852C5249DFD8D67F9312104C55547887B9CFD903
Session-ID-ctx: Master-Key: 3A0F9459A936B9DC12E7F60ACF67E4B7006D950494F10AE1192E37AD4A732BA3D072EB1E0B9F317710CEAB8FAA1
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - ca 53 6c fd 08 46 6e c4-3f 4f 25 43 70 22 c7 95 .Sl..Fn.?O%Cp".. 0010 - cb 45 ec fd 7c 1d 49 28-58 81 e0 4d c2 bd d1 7b .E..|.I(X..M...{ 0020 - 0c 23 42 0c c4 4d 58 f2-68 a7 0b a3 50 b0 ec e0 .#B..MX.h...P... 0030 - 7e 57 a1 6d 16 44 5b db-90 91 f1 2c 44 bf d9 78 ~W.m.D[....,D..x 0040 - c8 24 ea 0a e7 c6 55 b0-e2 42 6c 2c 49 7c 05 64 .$....U..Bl,I|.d 0050 - 33 91 48 9a a8 0f 97 8a-c7 06 4d ed 85 8b d2 48 3.H.......M....H
00a0 - 8a 8c 90 1c 8f 21 1b ad-37 61 00 b1 b4 fd 49 7b .....!..7a....I{ Start Time: 1633686054 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) --- DONE
-
注: 表示使用TLS1.2協(xié)議連接通過����,說明我們已經(jīng)禁用了TLS1.2
三�、第三方評測網(wǎng)站
一、https://myssl.com
二�����、https://ssllabs.com/ssltest
46780956