序号 漏洞名称 加固建议 1 TLS版本1.0协议检测 启用对TLS 1.2或1.3的支持,并禁用对TLS 1.0的支持 2 TLS版本1.1协议检测 启用对TLS 1.2或1.3的支持,并禁用对TLS 1.1的支持
漏洞检测:
root@macs:~# nmap --script ssl-enum-ciphers -p 443 192.168.1.8
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-15 17:01 CST
Nmap scan report for 192.168.1.8
Host is up (0.021s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds
root@macs:~#
漏洞修复:
# 原始配置
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
# 修复配置
ssl_protocols TLSv1.2 ;
完整配置:
# HTTPS server
#
server {
listen 443 ssl;
server_name 192.168.1.8;
keepalive_timeout 70;
ssl_certificate cert/mycert.pem;
ssl_certificate_key cert/privatekey.pem;
#ssl_certificate cert/server.crt;
#ssl_certificate_key cert/server_rsa_private.pem.unsecure;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
ssl_protocols TLSv1.2 ;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
# 映射服务器集群
location /test/{
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://test;
}
location /status{
stub_status on;
}
}
漏洞复测:
root@macs:~# nmap --script ssl-enum-ciphers -p 443 192.168.1.8
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-15 17:11 CST
Nmap scan report for 192.168.1.8
Host is up (0.013s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
root@macs:~#