问题描述
我想在nginx(v1.16.1)中添加一些TLS 1.2密码,而其中只有2个有效。
下面是我想得到支持的密码列表。
DHE-RSA-AES128-GCM-SHA256;
ECDHE-RSA-AES128-GCM-SHA256; ->可行
DHE-RSA-AES256-GCM-SHA384;
ECDHE-RSA-AES256-GCM-SHA384; ->可行
ECDHE-ECDSA-AES256-GCM-SHA384;
默认情况下添加在以下行中。conf
server {
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers off;
ssl_ciphers "DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384";
...
}
我正在使用open ssl命令对其进行测试
openssl s_client -cipher DHE-RSA-AES128-GCM-SHA256 -connect localhost:8443 -tls1_2
openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -connect localhost:8443 -tls1_2
openssl s_client -cipher DHE-RSA-AES256-GCM-SHA384 -connect localhost:8443 -tls1_2
openssl s_client -cipher ECDHE-RSA-AES256-GCM-SHA384 -connect localhost:8443 -tls1_2
openssl s_client -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -connect localhost:8443 -tls1_2
一件被标记的作品使结果保持静止,如下所示
openssl s_client -cipher DHE-RSA-AES128-GCM-SHA256 -connect localhost:8443 -tls1_2
CONNECTED(00000218)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 118 bytes
Verification: OK
---
New,(NONE),Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1599152280
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
36400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-1.1.1d/ssl/record/rec_layer_s3.c:1543:SSL alert number 40
我的配置是否有问题或不支持密码?
解决方法
对于Diffie Hellman密钥交换,您需要为nginx提供dhparam
:
openssl dhparam -out /etc/ssl/certsdhparam.pem 4096
并在nginx conf中进行配置:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
请参见reference
对于ECDHE-ECDSA-AES256-GCM-SHA384;
,您还需要使用ecdsa密钥和证书。参见guide
混合RSA和ECDSA证书示例配置:
ssl_certificate /path/to/rsa.crt;
ssl_certificate_key /path/to/rsa.key;
ssl_certificate /path/to/ecdsa.crt;
ssl_certificate_key /path/to/ecdsa.key;
请参见reference