最近再跟廠商串接服務,結果廠商通知我們的SSL不夠安全!?於是趕緊去找了網路上的SSL檢查服務發現我們等級只有C ,的確有很多修改空間。
有興趣的人可參考以下這兩個服務:
經過掃描發現我們的設定有幾個地方需要改進:
1. Protocol support 移除SSLv3,可以參考這篇文章:disabling-sslv3-for-poodle
2. This server supports weak Diffie-Hellman (DH) key exchange parameters.
3. The server does not support Forward Secrecy with the reference browsers.
關於2和3可以參考Guide to Deploying Diffie-Hellman for TLS 的步驟:
首先產生一個dhparams.pem檔,並且放置到/etc/nginx/certs 目錄下
openssl dhparam -out dhparams.pem 2048然後在nginx 的ssl.conf 裡面加入
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/certs/dhparams.pem;
最後再重新reload nignx
更多關於Nginx SSL的設定可以參考:Strong SSL Security On nginx
其他關於 SSL 調教與效能的文章:
[1] SSL performance myth
[2] About TLS
沒有留言:
張貼留言