2015年8月2日 星期日

[筆記] SSL 檢驗與設定



最近再跟廠商串接服務,結果廠商通知我們的SSL不夠安全!?於是趕緊去找了網路上的SSL檢查服務發現我們等級只有C ,的確有很多修改空間。

有興趣的人可參考以下這兩個服務:

經過掃描發現我們的設定有幾個地方需要改進:




1. Protocol support 移除SSLv3,可以參考這篇文章:disabling-sslv3-for-poodle

2. This server supports weak Diffie-Hellman (DH) key exchange parameters. 

3. The server does not support Forward Secrecy with the reference browsers.

關於2和3可以參考Guide to Deploying Diffie-Hellman for TLS 的步驟:

首先產生一個dhparams.pem檔,並且放置到/etc/nginx/certs 目錄下

openssl dhparam -out dhparams.pem 2048

然後在nginx 的ssl.conf 裡面加入

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/certs/dhparams.pem;

最後再重新reload nignx

更多關於Nginx SSL的設定可以參考:Strong SSL Security On nginx


其他關於 SSL 調教與效能的文章:
[1] SSL performance myth
[2] About TLS




張貼留言