打开Nginx 配置文件,找到 SSL 配置段。 在SSL 配置段中添加以下指令:ssl_ciphers '!ECDHE-RSA-AES256-SHA384:!AES256-SHA256:!TLSv1.2'; 这个指令告诉 Nginx 只使用不包含 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 加密套件的加密套件。需要注意的是,这个指令会禁用所有包含 TLS_ECDHE_RSA_WITH_AES_256_CB...
| ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SH...
ssl_ciphers 'AES128+EECDH:AES128+EDH'; 1. eg2:来自 Mozilla 基金会,后兼容(IE6 / WinXP) ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SH...
禁用TLSv1.0和TLSv1.1: 仅启用TLSv1.2和TLSv1.3: ssl_protocols TLSv1.2 TLSv1.3; 1. 启用前向安全性: 选择支持前向安全性的密钥交换算法: ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'; 1. 应用场景 电商网站...
密钥算法:TLSv1.3 只支持 PFS (即完全前向安全)的密钥交换算法,禁用 RSA 这种密钥交换算法。对称密钥算法只采用 AEAD 类型的加密算法,禁用CBC 模式的 AES、RC4 算法。 密钥导出算法:TLSv1.3 使用新设计的叫做 HKDF 的算法,而 TLSv1.2 是使用PRF算法,稍后我们再来看看这两种算法的差别。
[root@iZuf65h6i43ltlzhqolumyZ conf]# cd /usr/local/nginx/conf --进入Nginx默认配置文件目录。该目录为手动编译安装Nginx时的默认目录,如果您修改过默认安装目录或使用其他方式安装,请根据实际配置调整。[root@iZuf65h6i43ltlzhqolumyZ conf]# cd cert...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 禁止已经不安全的加密算法 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA...
ssl_ciphersECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocolsTLSv1.1TLSv1.2TLSv1.3;#表示优先使用服务端加密套件。默认开启ssl_prefer_server_cipherson;location/ {roothtml;indexindex.html index.htm;...
It provides very restrictive setup with 4096-bit private key, only TLS 1.2 and also modern strict TLS cipher suites (non 128-bits). A+on @ssllabs and120/100on @mozilla observatory with TLS 1.3 support: It provides less restrictive setup with 2048-bit private key, TLS 1.2 and 1.3 and al...
A+on @ssllabs and120/100on @mozilla observatory with TLS 1.3 support: It provides less restrictive setup with 2048-bit private key, TLS 1.2 and 1.3 and also modern strict TLS cipher suites (128/256-bits). The final grade is also in line with the industry standards. Recommend using this...