NET::ERR_SSL_OBSOLETE_VERSION 和 Chrome
NET::ERR_SSL_OBSOLETE_VERSION with Chrome
我在 AWS ec2 中托管了一个节点应用程序并安装了 letsencrypt 证书。当我尝试访问 API 时,出现错误
连接 - 过时的连接设置
使用 TLS 1.0、ECDHE_RSA 和 AES_256_CBC 以及 HMAC-SHA1 对与此站点的连接进行加密和验证。
TLS 1.0 已过时。启用 TLS 1.2 或更高版本。
AES_256_CBC 已过时。启用基于 AES-GCM 的密码套件。
SSL 证书正确显示来自 letsencrypt
我实际上在配置文件中设置了基于 TLS 1.2 AES-GCM 的密码。我的 nginx 版本是
nginx 版本:nginx/1.16.1
OpenSSL 1.0.2k-fips 2017 年 1 月 26 日
有什么指点吗?
这是我的 nginx.conf 文件片段
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server {
listen 80;
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /opt/ssl/cacert.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 TLSv1.2 TLSv1.1 TLSv1;
#ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
}
server {
listen 443 ssl http2;
server_name aws.qureme.co.in;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/aws.qureme.co.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aws.qureme.co.in/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
}
问题是当我为 2 个服务器块设置不同的协议和密码时(一个用于 IP 地址,另一个 phone 用于域名。
非常感谢 STEFFEN ULLRICH 的输入。这是修改后的规格
server {
listen 80;
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /opt/ssl/cacert.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
}
server {
listen 443 ssl http2;
server_name aws.qureme.co.in;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/aws.qureme.co.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aws.qureme.co.in/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
}
我在 AWS ec2 中托管了一个节点应用程序并安装了 letsencrypt 证书。当我尝试访问 API 时,出现错误
连接 - 过时的连接设置 使用 TLS 1.0、ECDHE_RSA 和 AES_256_CBC 以及 HMAC-SHA1 对与此站点的连接进行加密和验证。 TLS 1.0 已过时。启用 TLS 1.2 或更高版本。 AES_256_CBC 已过时。启用基于 AES-GCM 的密码套件。
SSL 证书正确显示来自 letsencrypt
我实际上在配置文件中设置了基于 TLS 1.2 AES-GCM 的密码。我的 nginx 版本是
nginx 版本:nginx/1.16.1 OpenSSL 1.0.2k-fips 2017 年 1 月 26 日
有什么指点吗?
这是我的 nginx.conf 文件片段
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server {
listen 80;
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /opt/ssl/cacert.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 TLSv1.2 TLSv1.1 TLSv1;
#ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
}
server {
listen 443 ssl http2;
server_name aws.qureme.co.in;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/aws.qureme.co.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aws.qureme.co.in/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
}
}
问题是当我为 2 个服务器块设置不同的协议和密码时(一个用于 IP 地址,另一个 phone 用于域名。
非常感谢 STEFFEN ULLRICH 的输入。这是修改后的规格
server {
listen 80;
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_certificate /opt/ssl/cacert.pem;
ssl_certificate_key /opt/ssl/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;
}
server {
listen 443 ssl http2;
server_name aws.qureme.co.in;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/aws.qureme.co.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aws.qureme.co.in/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
}