Weak SSL Version、SSL Weak Cipher Suites Supported

漏洞扫描结果：

Severity：Medium
Vulnerability：Weak SSL Version (SSLv2, SSL v3, TLS v1.0 and TLS v1.1)、SSL Weak Cipher Suites Supported

这个漏洞的原因就是ssl版本太低。

检查了自己架构之后，发现问题出在nginx上，于是对nginx的ssl版本进行调整。针对不同版本的nginx的ssl配置，参考：

https://ssl-config.mozilla.org/#server=nginx&version=1.19.8&config=intermediate&openssl=1.1.1d&guideline=5.6

我的版本是1.19，配置如下：

server {
        listen       443 ssl http2;
        listen [::]:443 ssl http2;
        server_name  xxxx.xxxx.com;

        if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
            return 403;
        }

        if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Googlebot|Ezooms|^$" ) {
           return 403;
        }

        if ($request_method !~ ^(GET|HEAD|POST)$) {
           return 403;
        }

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;
        ssl_certificate      /Users/zeng/app/5013214__xxxx-digital.com_nginx/5013214__xxxx-digital.com.pem;
        ssl_certificate_key  /Users/zeng/app/5013214__xxxx-digital.com_nginx/5013214__xxxx-digital.com.key;

        #ssl_session_cache    shared:SSL:1m;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_tickets off;
        ssl_session_timeout  5m;


        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        #ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers  on;

        add_header Strict-Transport-Security "max-age=63072000" always;
        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        location ~* \.(exe|bat|com|pif|scr|php|php5)$ {
           deny all;
           add_header X-Frame-Options SAMEORIGIN; # 只允许本站用 frame 来嵌套
           add_header X-Content-Type-Options nosniff; # 禁止嗅探文件类型
           add_header X-XSS-Protection "1; mode=block"; # XSS 保护
        }

        location / {
        #location ~* \.(text|html|php|avi|mp4|wmv|vob|flr|rmvb|mpg|mkv|mpeg)$ {
    #        root   html;
            add_header X-Frame-Options SAMEORIGIN; # 只允许本站用 frame 来嵌套
            add_header X-Content-Type-Options nosniff; # 禁止嗅探文件类型
            add_header X-XSS-Protection "1; mode=block"; # XSS 保护
            proxy_pass http://127.0.0.1:8080;
    #        index  index.html index.htm;
        }
    }

}