web-dev-qa-db-ja.com

NginxおよびCentos 7でTLSv1およびTLSV1.1を有効にできない

下位互換性のためにTLSv1とTLSv1.1を有効にする必要があります。これは私の設定です。

>>> nginx -V
nginx version: nginx/1.16.1 (packages.exove.com: SSE2, openssl-1.1.1d, PCRE JIT, TCP Fast Open)
built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC) 
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-pcre=../pcre-8.43 --with-pcre-jit --with-pcre-opt=-fPIC --with-openssl=../openssl-1.1.1d --with-libatomic --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --build='packages.exove.com: SSE2, openssl-1.1.1d, PCRE JIT, TCP Fast Open' --with-openssl-opt=no-dtls --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC -mmmx -msse -msse2 -DTCP_FASTOPEN=23' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

そして、これは私のnginx confファイルです。

nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    include /etc/nginx/conf.d/*.conf;

}

アプリケーション設定ファイル

server {

  server_name api.test.com;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  ssl_certificate         /etc/letsencrypt/live/api.test.com/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/api.test.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/api.test.com/fullchain.pem;

  ssl_session_cache shared:MozSSL:10m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
  ssl_prefer_server_ciphers off;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  add_header Strict-Transport-Security "max-age=31536000" always;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 1.1.1.1 8.8.8.8 8.8.4.4 valid=60s;
  resolver_timeout 2s;


  location / {

    proxy_pass http://localhost:48515/;

    add_header Access-Control-Allow-Origin * always;
    add_header Access-Control-Allow-Headers * always;
    add_header Access-Control-Allow-Methods * always;

    proxy_pass_request_headers on;
    proxy_set_header           X-FILE $request_body_file;
    proxy_redirect             off;
    client_body_in_file_only   clean;

  }

}

ssllabsテストは、TLSv1.2のみが有効であることを示しています。私の間違いは何ですか?

2
yooneskh

クライアント(api)の一部がまだ古いopensslを使用しており、その間にアップグレードできないため、同様の問題が発生します。

私のdefault_serverでもプロトコルとチッパーを有効にした後で動作しました。

私のsites-enable/default.conf

server {
  listen 443 ssl default deferred http2;
  listen [::]:443 ssl default deferred http2;
  server_name server.example.com;

  # Old configuration based on https://ssl-config.mozilla.org/
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

# other default directive ....
} 

と私のsites-enable/api.conf

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name api.example.com;
  root /home/user/api;

  # Old configuration based on https://ssl-config.mozilla.org/
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

# other directive ....
}

APIは、TLSv1.0、TLSv1.1、およびwwwがTLSv1.2とTLSv1.3のみを使用するようにロックされているサービスを提供できるようになりました。

2
Sakurai Evsa

古いApacheインストールで同様の問題がありました。多分暗号化ボットが標準設定ファイルを変更しましたか?!

0
fruitystones