nginx禁用3DES和DES弱加密算法，保证SSL证书安全 SSL/TLS协议信息泄露漏洞(CVE-2016-2183)

cp -r nginx-1.19.2 ./nginx-1.19.2.bak

查看完旧版本信息可以执行如下命令，给旧版本改个名

mv ./nginx ./nginx.old

漏洞名称

SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】

详细描述

TLS是安全传输层协议，用于在两个通信应用程序之间提供保密性和数据完整性。

TLS, SSH, IPSec协商及其他产品中使用的DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界，这可使远程攻击者通过Sweet32攻击，获取纯文本数据。

{

listen 80;

listen 443 ssl https2;

#使用HTTP/2，需要Nginx1.9.7以上的版本

ssl on;

server_name http://ykqi.cn www.ykqi.cn;

index index.php index.html index.htm default.php default.htm default.html;

root /www/wwwroot/dist/ykqi;

#SSL-START SSL相关配置，请勿删除或修改下一行带注释的404规则

#error_page 404/404.html;

add_header X-Frame-Options DENY;

#禁止被嵌入框架

add_header X-Content-Type-Options nosniff;

#防止在IE9、Chrome和Safari中的MIME类型混淆攻击

ssl_certificate /www/server/panel/vhost/ssl/1_ykqi_bundle.crt;

ssl_certificate_key /www/server/panel/vhost/ssl/2_ykqi.key;

#SSL证书文件位置

ssl_dhparam /www/server/panel/vhost/ssl/dhparam.pem;

#DH-Key交换**文件位置

#SSL优化配置

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#只允许TLS协议

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

或者

我的选择

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;

#加密套件,这里用了CloudFlares Internet facing SSL cipher configuration

ssl_prefer_server_ciphers on;

.......此处省略

配置完重新启动Nginx!

通过命令： nmap -sV --script ssl-enum-ciphers -p 443 www.example.com 可得：

Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-08 14:51 CST
Nmap scan report for 127.0.0.1
Host is up (0.035s latency).
PORT    STATE SERVICE VERSION
443/tcp open  http    nginx 1.19.10
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
|       TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
|       TLS_ECDH_anon_WITH_RC4_128_SHA - broken
|       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

结果中weak(柔弱的)、broken(损坏的)、strong(坚固的)字段表示加密强度，为了安全需要将128位以下弱加密算法禁用，Nginx 配置 SSL需明确指定算法：

重启是nginx.conf配置生效

nginx -s reload