nginx禁用3DES和DES弱加密算法，保证SSL证书安全

编程入门行业动态更新时间:2024-10-08 04:31:56

nginx禁用3DES和DES弱<a href=https://www.elefans.com/category/jswz/34/1769177.html style= 加密算法，保证SSL证书安全"/>

nginx禁用3DES和DES弱加密算法，保证SSL证书安全

收到漏扫报告↓↓↓↓↓↓↓

漏洞名称	SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】
详细描述	TLS是安全传输层协议，用于在两个通信应用程序之间提供保密性和数据完整性。 TLS, SSH, IPSec协商及其他产品中使用的DES及Triple DES密码或者3DES及Triple 3DES存在大约四十亿块的生日界，这可使远程攻击者通过Sweet32攻击，获取纯文本数据。 <来源：Karthik Bhargavan Gaetan Leurent 链接：.txt >
解决办法	建议：避免使用DES和3DES算法 1、OpenSSL Security Advisory [22 Sep 2016] 链接：.txt 请在下列网页下载最新版本： / 2、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法主要是修改conf文件 3、Windows系统可以参考如下链接： =ws2016
威胁分值	7.5
危险插件	否
发现日期	2016-08-31
CVE编号	CVE-2016-2183
BUGTRAQ	92630
NSFOCUS	34880
CNNVD编号	CNNVD-201608-448
CNCVE编号	CNCVE-20162183
CVSS评分	5.0
CNVD编号	CNVD-2016-06765

操作如下：

本机扫描

yum install -y nmap
nmap -sV -p 443 --script ssl-enum-ciphers 10.2.10.2

[root@zhtzdb-10 ~]# nmap -sV -p 443 --script ssl-enum-ciphers 10.2.10.2

Starting Nmap 6.40 ( ) at 2022-07-05 10:36 CST
Nmap scan report for 10.2.10.2
Host is up (0.00011s latency).
PORT STATE SERVICE VERSION
443/tcp open http nginx
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong

Service detection performed. Please report any incorrect results at / .
Nmap done: 1 IP address (1 host up) scanned in 6.34 seconds

编辑nginx.conf文件，修改ssl_ciphers后面的参数，如下↓

server {
listen 443 ssl;
server_name www.cookie;

ssl_certificate cert/2022_www.cookie.pem;
ssl_certificate_key cert/2022_www.cookie.key;
ssl_session_timeout 5m;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

保存退出，重启nginx服务。

重新执行nmap命令

[root@zhtzdb-10 ~]# nmap -sV -p 443 --script ssl-enum-ciphers 10.2.10.2

Starting Nmap 6.40 ( ) at 2022-07-05 10:48 CST
Nmap scan report for 10.2.10.2
Host is up (0.00010s latency).
PORT STATE SERVICE VERSION
443/tcp open http nginx
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA - broken
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA - broken
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: broken

Service detection performed. Please report any incorrect results at / .
Nmap done: 1 IP address (1 host up) scanned in 6.35 seconds