如何为 NGINX 配置选择正确的密码 [英] How to choose the right ciphers for NGINX config
问题描述
我是 nginx 的新手,我最近决定更改配置文件,将我的应用程序从 http 重定向到 https 使用返回语句 return 301 https://$host$request_uri;.这一切都很好,直到我注意到我们没有通过 Twilio API 接收短信.我决定调试这个问题,发现我收到了一个 SSL/TLS 握手错误.
I'm new to nginx and I just recently decided to make a change to the config file to redirect my applications from http to https using the return statement return 301 https://$host$request_uri;. This all worked fine until I noticed that we weren't receiving text messages via Twilio API. I decided to debug the issue and found that I was receiving an SSL/TLS Handshake Error.
查看调试器,我发现他们将此作为问题的可能原因:
Looking into the debugger I saw that they gave this as the possible cause of the issue:
Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server.
查看 nginx 配置文件,我注意到没有使用密码,这可能是问题的根源,而不是因为未启用 TLS,请查看以下配置:
Looking at the nginx config file, I noticed that there are no ciphers being used, which is probably the root of the problem and not because TLS isn't enabled looking at the config below:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name localhost;
ssl_certificate "/etc/nginx/ssl/domain-crt.txt";
ssl_certificate_key "/etc/nginx/ssl/domain-key.txt";
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
## More configuration below this...
}
Twilio 有一个支持的密码列表,可以在 此处,但我不确定如何在我的配置文件中执行此操作.由于我的协议包括 TLSv1、TLSv1.1 和 TLS1.2,我是否应该使用所有这些?或者我只使用列表中的一个.我真的很困惑我需要在我的 ssl_ciphers 变量中设置什么.
Twilio has a list of supported ciphers which can be found here, but I'm not sure how to do this within my config file. Am I supposed to use all of them since my protocols include TLSv1, TLSv1.1, and TLS1.2? Or do I only use one of those in the list. I'm really confused as to what I need to have set in my ssl_ciphers variable.
另外我读到在 ssl_protocols 中启用 SSLv3 是个坏主意.我可以从 ssl_protocols 中删除它并保存配置而不导致重大问题吗?
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea. Can I just remove that from the ssl_protocols and save the config without it causing major issues?
如果有人能帮我回答这些问题,那将非常有帮助.谢谢!
If anyone could help me answer these questions, that would be very helpful. Thank You!
推荐答案
默认使用密码,Nginx 按版本配置.
Ciphers are being used by default and Nginx configure it by the version.
在 1.0.5 及更高版本中,默认 SSL 密码为高:!aNULL:!MD5.在 0.7.65 和 0.8.20 及更高版本中,默认SSL 密码是 HIGH:!ADH:!MD5.从 0.8.19 版本开始默认 SSL密码是 ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM.从 0.7.64 版开始,0.8.18 及更早版本的默认 SSL 密码为 ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP.有关详细信息,请参阅 Nginx 文档.
In version 1.0.5 and later, the default SSL ciphers are HIGH:!aNULL:!MD5. In versions 0.7.65 and 0.8.20 and later, the default SSL ciphers are HIGH:!ADH:!MD5. From version 0.8.19 the default SSL ciphers are ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM. From version 0.7.64, 0.8.18 and earlier the default SSL ciphers are ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP. See Nginx Docs for more information.
但您也可以明确地选择您希望允许使用的密码:ssl_cipherscipher1 cipher2 ... cipherN";例如 - ssl_ciphersECDHE-RSA-AES128-GCM-SHA256";仅支持此特定密码套件.关于:
But you can also be explicit and choose the cipher you want to allow using: ssl_ciphers "cipher1 cipher2 ... cipherN"; For example - ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256"; to support only this specific ciphersuite. Regarding:
另外我读到在 ssl_protocols 中启用 SSLv3 是一个坏主意.我可以从 ssl_protocols 中删除它并保存配置吗不会造成重大问题?
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea. Can I just remove that from the ssl_protocols and save the config without it causing major issues?
它可能导致的唯一主要问题是尝试连接您的服务器的使用 SSLv3 的客户端将被拒绝,因为您的服务器不接受它(配置文件不支持).无论如何,它在某些版本中是 Nginx 默认的,应该不是问题.
The only major issue that it can cause is that a client using SSLv3 trying to connect your server will get rejected since it is not acceptable by your server (not supported by the config file). In any case it's Nginx default in some versions and shouldn't be the problem.
来自 Nginx 文档:
From Nginx Docs:
从 0.7.65 和 0.8.19 及更高版本开始,默认 SSL 协议是 SSLv3、TLSv1、TLSv1.1 和 TLSv1.2(如果 OpenSSL 支持图书馆).
From versions 0.7.65 and 0.8.19 and later, the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
这篇关于如何为 NGINX 配置选择正确的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
