常见WebServer关闭SSLv3/SSLv2协议的设置方法
点击数:211212015-08-14 11:19:01 来源: Mark4z5的博客
一、Nginx配置HTTPS
1、安装Nginx
wget http://nginx.org/download/nginx-1.7.1.tar.gz
tar zxvf nginx-1.7.1.tar.gz
cd nginx-1.7.1/
./configure --with-http_ssl_module --prefix=/usr/local/nginx; make; make install
2、开启SSL/TLS
mkdir /usr/local/nginx/sslkey
cd /usr/local/nginx/sslkey
openssl genrsa -out key.pem 2048
openssl req -new -x509 -nodes -out server.crt -keyout server.key
#一直按回车,什么都不填
vi /usr/local/nginx/conf/nginx.conf
#去掉HTTPS server相关配置注释并修改文件路径(如下图)
/usr/local/nginx/sbin/nginx
#启动nginx,此时nginx监听http(80)和https(443)
3、关闭SSLv3
vi /usr/local/nginx/conf/nginx.conf
#加上配置ssl_protocols TLSv1 TLSv1.1 TLSv1.2;(如下图)
注:隐性默认是SSLv3 TLSv1 TLSv1.1 TLSv1.2
/usr/local/nginx/sbin/nginx -s reload
#重启nginx生效
二、 Apache配置HTTPS
1、安装Apache
wget http://apache.dataguru.cn//httpd/httpd-2.2.27.tar.gz
tar zxvf httpd-2.2.27.tar.gz
cd httpd-2.2.27
./configure --enable-ssl --prefix=/usr/local/apache; make; make install
2、开启SSL/TLS
cd /usr/local/apache/conf
openssl genrsa -out key.pem 2048
openssl req -new -x509 -nodes -out server.crt -keyout server.key
#一直按回车,什么都不填
vi /usr/local/apache/conf/httpd.conf
#去掉Include conf/extra/httpd-ssl.conf注释(如下图)
/usr/local/apache/bin/httpd
#启动apache,此时apache监听http(80)和https(443)
3、关闭SSLv3
vi /usr/local/apache/conf/extra/httpd-ssl.conf
#原有配置SSLProtocol all -SSLv2,需修改为SSLProtocol all -SSLv2 -SSLv3(如下图)
注:显性默认支持SSLv3 TLSv1 TLSv1.1 TLSv1.2
killall -9 httpd
/usr/local/apache/bin/httpd
#重启apache生效
三、Tomcat配置HTTPS
1、开启SSL/TLS
wget http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.54/bin/apache-tomcat-7.0.54.zip
unzip apache-tomcat-7.0.54.zip
cp -R apache-tomcat-7.0.54 /usr/local/tomcat
keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/keystore
#生成key文件,密码填写123456(如下图)
vi /usr/local/tomcat/conf/server.xml
#添加SSL配置(如下图)
/>
chmod +x /usr/local/tomcat/bin/*sh
/usr/local/tomcat/bin/startup.sh
#启动tomcat,此时tomcat监听http(8080)和https(8443)
2、关闭SSLv3
vi /usr/local/tomcat/conf/server.xml
#加上配置sslEnabledProtocols="TLSv1"(如下图)
注:隐性默认是SSLv3,TLSv1.0
/usr/local/tomcat/bin/shutdown.sh
/usr/local/tomcat/bin/startup.sh
#重启tomcat生效
上一页1下一页 |
原文地址:https://www.chinassl.net/faq/n605.html
版权所有@转载请注明出处:CHINASSL[https://www.chinassl.net]