【已解答】【紧急求助】禁用TLS 1.0/1.1协议后仍被安全扫描...
本帖最后由 ccoder 于 2025-4-14 08:28 编辑面板、插件版本:
宝塔版本:9.5.0
系统版本:
操作系统: ubuntu 24.4
nginx:1.26.3
openssl: 3.0.13
问题描述:
1.当前配置:Nginx配置文件中已明确设置:ssl_protocols TLSv1.2 TLSv1.3;已确认配置文件已生效
2.矛盾现象:本地测试使用 openssl s_client -connect 仅显示TLS 1.2支持第三方安全扫描工具(及部分远程服务器)仍检测到TLS 1.0/1.1支持
3.已排除项:✓ 确认nginx.conf配置在正确作用域(http/server块)✓ 已执行 nginx -t 验证配置语法✓ 已执行 systemctl reload nginx 和完整重启✓ 检查无重复的ssl_protocols声明✓ 无中间代理层✓ 检查nginx -T无其他443配置,面板SSL设置已关闭
相关截图(日志、错误):
本地检测结果:
root@production:~# openssl s_client -connect defend.hnzthgroup.com:443 -tls1
CONNECTED(00000003)
40477DE83F760000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
其他服务器检测结果:
# openssl s_client -connect defend.hnzthgroup.com:443 -tls1
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
verify return:1
depth=0 CN = defend.hnzthgroup.com
verify return:1
00C23BE34B7F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2254:
---
Certificate chain
0 s:CN = defend.hnzthgroup.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan8 00:00:00 2025 GMT; NotAfter: Jan8 23:59:59 2026 GMT
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 27 12:46:40 2017 GMT; NotAfter: Nov 27 12:46:40 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
`````````
-----END CERTIFICATE-----
subject=CN = defend.hnzthgroup.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3139 bytes and written 141 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol: TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1743857364
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
开启http3需要,浏览器开启http3,并且开启udp的443端口
nginx配置参考:
listen 443 quic reuseport;
listen 443 ssl;
http3 on;
http2 on;
ssl_protocols TLSv1.3; # 必需启动TLSv1.3
location / {
# 通过响应头告诉浏览器服务器支持HTTP3,以及HTTP3监听的端口
add_header Alt-Svc 'h3=":443"; ma=86400';
}
页:
[1]