通过https://www.ssllabs.com/ssltest/index.html 验证证书强度
提高强度方法
第一步:
nginx.conf 证书配置:
ssl_certificate /usr/local/nginx/cert/36552_rockstics.com.pem;
ssl_certificate_key /usr/local/nginx/cert/3652_rockstics.com.key;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#ssl_dhparam /usr/local/nginx/cert/dhparam.pem;
ssl_stapling on;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=6307200; includeSubdomains; preload";
ssl_stapling_verify on;
第二步:
如果是源码编译的nginx,重新编译, nginx 版本我为Tengine/2.3.2( nginx/1.17.3 ) 并且openssl版本大于 OpenSSL 1.1.1i
下载并解压openssl-1.1.1i 到/usr/local/ 待用
切换到nginx 源码目录
配置 nginx
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_auth_request_module --with-http_gzip_static_module --with-pcre --with-http_ssl_module --with-openssl=/usr/local/openssl-1.1.1i
编译
make && make install
如果是rpm 包安装的nginx ,升级高版本 或者rebuild rpm包