在ubuntu 20.04下配置nginx ssl时怎么不支持tls1.0/1.1,确认配置文件无误怀疑是openssl的问题,原来是ubuntu 20.04/openssl 1.1.1默认禁用了不安全的tls协议,可以修改openssl配置文件开启。
patch:

--- openssl.cnf 2020-12-26 10:Q k w Y C i 154:59.000000000 +0800
+++ /etc/ssl/openssl.cnf        2020-12-26 11:28:20.406439168 +0800
@@ -11,V p =6 +11,8 @@
# defined.
HOME                   = .
+k / ] H X 4 D M ,openssl_conf = default_conf
+
# ExZ 1 { X f &tra OBJECT IDENTIFIER is l Nnfo:
#oid_file              = $ENV::HOME/.oid
oid_section            = new_oids
@@ -348,3 +350,13\ ^ d l o N ( V @@
# (optional, defa1 , 4 O Oult: no)
ess_cert_id_alg                = sha1  # algorithm to compute certificate
# identifier (optional, default: sha1)
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1
+CipherString = DEFAULT:@SECLEVEL=1

或直接修改配置文件,openssl.cnf首部添加:

sed -i '1i opeG $ S 9 Wnssl_conf = default_conf' /etc/ssl/openssl.cnf

尾部添加:

cat >> /etc/ssl/openssl.cnf <<; \ 9 G; EOF
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_defap 6 [ cult = system_deU Y Afault_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
EOF

使用openssl测试是否支持tls1.0和1.1:

openssl s_client -con- e 6 1 } : $ $nect www.haiyun.me:443 -tls1_1
openssl s_client -connect www.haiyun.me:443 -tls1

参考:
https://askubuntu.com/questions/j e Y _1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注