nginx禁用3DES和DES弱加密算法

nginx禁用3DES和DES弱加密算法

yum install -y nmap
nmap -sV -p 443 --script ssl-enum-ciphers 127.0.0.1

#注释下面的语句（用这个即可）
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ciphers HIGH:!ADH:!MD5;

   ssl_ciphers HIGH:!ADH:!MD5;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

正常情况下应该是这样 不安全协议和加密算法都禁止
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
ssl_protocols TLSv1.1 TLSv1.2 LSv1.3;

  server {
                listen 443 ssl;
                server_name  www.cookie.com;
                
                ssl_certificate      cert/2022_www.cookie.com.pem;
                ssl_certificate_key  cert/2022_www.cookie.com.key;
                ssl_session_timeout 5m;
                ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                ssl_prefer_server_ciphers on;

/usr/local/nginx/sbin/nginx -s reload

 在tomcat/conf/server.xml中找到https端口配置，添加Ciphers="......"，此处添加支持的算法，不支持的算法请勿加入其中！