6.1、Nginx禁用3DES和DES弱加密算法

Nginx 禁用3DES和DES弱加密算法，保证SSL证书安全 SSL/TLS协议信息泄露漏洞(CVE-2016-2183)

cp -r nginx-1.19.2 ./nginx-1.19.2.bak

查看完旧版本信息可以执行如下命令，给旧版本改个名

mv ./nginx ./nginx.old

漏洞名称

SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】

详细描述

TLS是安全传输层协议，用于在两个通信应用程序之间提供保密性和数据完整性。

TLS, SSH, IPSec协商及其他产品中使用的DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界，这可使远程攻击者通过Sweet32攻击，获取纯文本数据。

{

    listen 80;
    listen 443 ssl https2;
    #使用HTTP/2，需要Nginx1.9.7以上的版本
    ssl on;
    server_name http://ykqi.cn www.ykqi.cn;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/dist/ykqi;

    #SSL-START SSL相关配置，请勿删除或修改下一行带注释的404规则
    #error_page 404/404.html;

    add_header X-Frame-Options DENY;
    #禁止被嵌入框架
    add_header X-Content-Type-Options nosniff;
    #防止在IE9、Chrome和Safari中的MIME类型混淆攻击
    ssl_certificate /www/server/panel/vhost/ssl/1_ykqi_bundle.crt;
    ssl_certificate_key /www/server/panel/vhost/ssl/2_ykqi.key;

    #SSL证书文件位置
    ssl_dhparam /www/server/panel/vhost/ssl/dhparam.pem;

    #DH-Key交换**文件位置

    #SSL优化配置
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    #只允许TLS协议
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

或者

我的选择

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;

#加密套件,这里用了CloudFlares Internet facing SSL cipher configuration
ssl_prefer_server_ciphers on;

…….此处省略

配置完重新启动Nginx!

通过命令： nmap -sV --script ssl-enum-ciphers -p 443 www.example.com 可得：

Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-08 14:51 CST
Nmap scan report for 127.0.0.1
Host is up (0.035s latency).
PORT    STATE SERVICE VERSION
443/tcp open  http    nginx 1.19.10
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_RC4_128_SHA - broken
|       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

结果中weak(柔弱的)、broken(损坏的)、strong(坚固的)字段表示加密强度，为了安全需要将128位以下弱加密算法禁用，Nginx 配置 SSL需明确指定算法：

重启是nginx.conf配置生效

nginx -s reload