SSL/TLS 的版本
| 协议 | 发布时间 | 状态 |
|---|---|---|
| SSL 1.0 | 未公布 | 未公布 |
| SSL 2.0 | 1995 年 | 已于 2011 年弃用 |
| SSL 3.0 | 1996 年 | 已于 2015 年弃用 |
| TLS 1.0 | 1999 年 | 计划于 2020 年弃用 |
| TLS 1.1 | 2006 年 | 计划于 2020 年弃用 |
| TLS 1.2 | 2008 年 | |
| TLS 1.3 | 2018 年 |
Nginx
- 通常Nginx的
conf/nginx.conf配置如下
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- 删除
TLS1.0 TLSv1.1、增加TLS1.3
ssl_protocols TLSv1.2 TLSv1.3;
- 重启Nginx使配置生效
nginx -s reload
Apache
- 通常Apache的配置如下
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
1-1. 基于RedHat的发行版(CentOS,Fedora)配置文件/etc/httpd/conf/httpd.conf
1-2. 基于Debian的发行版(Ubuntu)配置文件/etc/apache2/sites-enabled/目录下
- 删除
+TLSv1 +TLSv1.1、增加TLSv1.3
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
- 重启Apache使配置生效
# 基于RedHat的发行版(CentOS,Fedora)
systemctl restart httpd
# 基于Debian的发行版(Ubuntu)
service apache2 restart
IIS服务器
- IIS服务器需使用官方工具(IISCrypto.exe )进行修改
IISCrypto.exe
Tomcat
- 通常Tomcat的
conf/server.xml配置如下
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
- 删除
+TLSv1 +TLSv1.1、增加TLS1.3
SSLProtocol="TLSv1.2+TLSv1.3"
- 重启Tomcat使配置生效
# 关闭tomcat
bin/shutdown.sh
# 启动tomcat
bin/startup.sh
- 注:以上服务器增TLS1.3需要依赖openSSL的版本以及IIS和Java的版本的支持
检测
一、测试TLS1.0协议
openssl s_client -connect www.example.com:443 -tls1 < /dev/null
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1633685489
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
- 注: 表示使用TLS1.0协议连接不通,说明我们已经禁用了TLS1.0
二、测试TLS1.2协议
openssl s_client -connect www.example.com:443 -tls1_2 < /dev/null
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
0 s:/CN=ztc.gzhuijiangyuan.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMzCCBBugAwIBAgISA7VcG2st4Mb9oRuhffYzViI9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MzAxNTE5MjhaFw0yMTEyMjkxNTE5MjdaMCExHzAdBgNVBAMT
4C7vbju3QzFzUyiu8Y3Si2V5oJbzrhIlftqQUUTU2vmMO1lmQi/uD3IqOfZZ4VXL
dcOIHmUVDAzLOMa2brg8YXSQatARlhYDjC1T2aSPMxaKjKq84SHKw67PI6PGGE0u
uYYizdj0riGDsULplmX/u7pFcaw6WjH9lBAasJqxGwFAeJ7AyK2N4D+WPz+fefsw
IAaGUCj2G8pFoKl0N5DVzqgFIWwIxrfYYqS4ogqRUFsgZpcUuTj6
-----END CERTIFICATE-----
subject=/CN=www.example.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4702 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: C617C1E0D6945124100508852C5249DFD8D67F9312104C55547887B9CFD903
Session-ID-ctx:
Master-Key: 3A0F9459A936B9DC12E7F60ACF67E4B7006D950494F10AE1192E37AD4A732BA3D072EB1E0B9F317710CEAB8FAA1
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ca 53 6c fd 08 46 6e c4-3f 4f 25 43 70 22 c7 95 .Sl..Fn.?O%Cp"..
0010 - cb 45 ec fd 7c 1d 49 28-58 81 e0 4d c2 bd d1 7b .E..|.I(X..M...{
0020 - 0c 23 42 0c c4 4d 58 f2-68 a7 0b a3 50 b0 ec e0 .#B..MX.h...P...
0030 - 7e 57 a1 6d 16 44 5b db-90 91 f1 2c 44 bf d9 78 ~W.m.D[....,D..x
0040 - c8 24 ea 0a e7 c6 55 b0-e2 42 6c 2c 49 7c 05 64 .$....U..Bl,I|.d
0050 - 33 91 48 9a a8 0f 97 8a-c7 06 4d ed 85 8b d2 48 3.H.......M....H
00a0 - 8a 8c 90 1c 8f 21 1b ad-37 61 00 b1 b4 fd 49 7b .....!..7a....I{
Start Time: 1633686054
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
---
DONE
- 注: 表示使用TLS1.2协议连接通过,说明我们已经禁用了TLS1.2
三、第三方评测网站
https://myssl.com
ssllabs.com
