nginx 修复TLS1.0,TLS1.1协议漏洞

2021/04 15 22:04
序号漏洞名称加固建议
1TLS版本1.0协议检测启用对TLS 1.2或1.3的支持,并禁用对TLS 1.0的支持
2TLS版本1.1协议检测启用对TLS 1.2或1.3的支持,并禁用对TLS 1.1的支持

漏洞检测:

root@macs:~# nmap --script ssl-enum-ciphers -p 443 192.168.1.8
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-15 17:01 CST
Nmap scan report for 192.168.1.8
Host is up (0.021s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds
root@macs:~# 

漏洞修复:

# 原始配置
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
# 修复配置
ssl_protocols TLSv1.2 ;

完整配置:

# HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  192.168.1.8;
        keepalive_timeout  70;

        ssl_certificate      cert/mycert.pem;
        ssl_certificate_key  cert/privatekey.pem;
        
        #ssl_certificate      cert/server.crt;
        #ssl_certificate_key  cert/server_rsa_private.pem.unsecure;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

		#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
		ssl_protocols TLSv1.2 ;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
        
		# 映射服务器集群
		location /test/{
			proxy_set_header  X-Real-IP        $remote_addr;
			proxy_pass http://test;
		}
        location /status{
            stub_status on;
        }
    }

漏洞复测:

root@macs:~# nmap --script ssl-enum-ciphers -p 443 192.168.1.8
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-15 17:11 CST
Nmap scan report for 192.168.1.8
Host is up (0.013s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
root@macs:~#

--转载请注明: https://www.macs.vip/archives/221