这是一个创建于 398 天前的主题,其中的信息可能已经有所发展或是发生改变。
修改 nginx ssl_protocols 配置只支持 TLSv1.2 ,但是检查出域名还是有 TLSv1.1 ,配置如下,该配置文件还有很多其它域名配置
listen 443 ssl;
server_name XXX;
allow all;
ssl_certificate /etc/nginx/cert/xxx.com.pem;
ssl_certificate_key /etc/nginx/cert/xxx.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
listen 443 ssl;
server_name XXX;
allow all;
ssl_certificate /etc/nginx/cert/xxx.com.pem;
ssl_certificate_key /etc/nginx/cert/xxx.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
 |
1
Nangle 2023-10-20 11:21:57 +08:00 via iPhone
其它域名配置也要同步改
|
 |
2
ysc3839 2023-10-20 11:30:56 +08:00 via Android
ssl 配置建议放在 http 块里面,server 块里只配置证书
|
 |
3
ondeay OP ssl_ciphers 密码套件去掉 ECDHE:ECDH:AES:HIGH 之后,TLSv1 TLSv1.1 就检测不到了
|
|
4
ysc3839 2023-10-20 16:12:36 +08:00 via Android
|
Select Language