如何在nginx的ssl_ciphers中添加ssl密码 [英] How to add ssl cipher to ssl_ciphers in nginx
问题描述
我正在使用让我们加密"在服务器中安装免费的TLS/SSL证书.我遵循了 Mozilla SSL配置生成器的建议并进行了配置像这样的nginx:
I am using Let's Encrypt to install a free TLS/SSL certificate in my server. I followed the suggestion of Mozilla SSL Configuration Generator and configured nginx like this:
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
问题是我需要Java 7与服务器进行通信,并且它不适用于上述配置.
The problem is that I need Java 7 to communicate with the server and it doesn't work with the configuration above.
当我将网站提交到 ssllabs 时,我收到以下消息:
When I submit my site to ssllabs I get the following message:
Java 7u25 Server sent fatal alert: handshake_failure
如果仅在nginx配置中注释ssl_ciphers行,则与Java 7的通信开始起作用.
If I just comment the ssl_ciphers line in nginx configuration, than the communication with Java 7 starts to work.
# After commenting the line below it works
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
所以我从 ssllabs 收到以下消息:
So I get the following message from ssllabs:
Java 7u25 RSA 2048 (SHA256) TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
我不想让ssl_ciphers行注释,因为nginx将使用其默认配置,该配置不太安全.
I would not like to let the ssl_ciphers line commented, because nginx would use its default configuration, which is less secure.
我只想将密码TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA添加到ssl_ciphers列表中.
I would like just to add the cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA to the ssl_ciphers list.
有可能吗?怎么做?
推荐答案
来自 OpenSSL的密码列表或这张来自testsl.sh的漂亮表,ECDHE-RSA-AES128-SHA.因此,您需要将ssl_ciphers指令设置为
From OpenSSL's cipher list or this nice table from testssl.sh, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA corresponds to ECDHE-RSA-AES128-SHA. So you'd set your ssl_ciphers directive to
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-SHA";
这篇关于如何在nginx的ssl_ciphers中添加ssl密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
