Total Pageviews

Friday, 15 April 2016

提高 SSL的安全性

禁用 SSLv3
SSLv3 Poodle 漏洞
http://www.oschina.net/news/56159/ssl-v3-poodle

启用 Perfect forward secrecy
http://axiacore.com/blog/enable-perfect-forward-secrecy-nginx/

在 nginx 配置的 http加入以下设置:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

SSL 安全在线检查工具

https://www.ssllabs.com/ssltest/index.html