请稍候...
  • 通配符证书Wildcard SSL,部署全网HTTPS必备
  • 为什么使用企业型SSL证书?
  • 增强型证书EV SSL,完美支持地址栏显示中文企业名称
  • HTTPS今天你用了吗?
  • 多域名SANS/UCC SSL证书,全面支持Exchange Server 2..
  • 选择SSL证书产品遇到问题?

常见WebServer关闭SSLv3/SSLv2协议的设置方法

点击数:204282015-08-14 11:19:01 来源: Mark4z5的博客

常见WebServer(Nginx、Apache、Tomcat)启用HTTP以及关闭不安全协议SSLv3/SSLv2的设置方法,文档整理如下。

一、Nginx配置HTTPS

1、安装Nginx

wget http://nginx.org/download/nginx-1.7.1.tar.gz

tar zxvf nginx-1.7.1.tar.gz

cd nginx-1.7.1/

./configure --with-http_ssl_module --prefix=/usr/local/nginx; make; make install

 

2、开启SSL/TLS

 

mkdir /usr/local/nginx/sslkey

cd /usr/local/nginx/sslkey

openssl genrsa -out key.pem 2048

openssl req -new -x509 -nodes -out server.crt -keyout server.key

#一直按回车,什么都不填

 

 

vi /usr/local/nginx/conf/nginx.conf

#去掉HTTPS server相关配置注释并修改文件路径(如下图)

常见WebServer开启HTTPS并关闭SSLv3

 

/usr/local/nginx/sbin/nginx

#启动nginx,此时nginx监听http(80)和https(443)

 

常见WebServer开启HTTPS并关闭SSLv3

 

3、关闭SSLv3

 

vi /usr/local/nginx/conf/nginx.conf

#加上配置ssl_protocols TLSv1 TLSv1.1 TLSv1.2;(如下图)

常见WebServer开启HTTPS并关闭SSLv3

注:隐性默认是SSLv3 TLSv1 TLSv1.1 TLSv1.2

 

/usr/local/nginx/sbin/nginx -s reload

#重启nginx生效

 

 

 

二、 Apache配置HTTPS

1、安装Apache

wget http://apache.dataguru.cn//httpd/httpd-2.2.27.tar.gz

tar zxvf httpd-2.2.27.tar.gz

cd httpd-2.2.27

./configure --enable-ssl --prefix=/usr/local/apache; make; make install

 

2、开启SSL/TLS

cd /usr/local/apache/conf

openssl genrsa -out key.pem 2048

openssl req -new -x509 -nodes -out server.crt -keyout server.key

#一直按回车,什么都不填

 

 

vi /usr/local/apache/conf/httpd.conf

#去掉Include conf/extra/httpd-ssl.conf注释(如下图)

常见WebServer开启HTTPS并关闭SSLv3

 

/usr/local/apache/bin/httpd

#启动apache,此时apache监听http(80)和https(443)

 

常见WebServer开启HTTPS并关闭SSLv3

 

3、关闭SSLv3

vi /usr/local/apache/conf/extra/httpd-ssl.conf

#原有配置SSLProtocol all -SSLv2,需修改为SSLProtocol all -SSLv2 -SSLv3(如下图)

 

常见WebServer开启HTTPS并关闭SSLv3

注:显性默认支持SSLv3 TLSv1 TLSv1.1 TLSv1.2

 

killall -9 httpd

/usr/local/apache/bin/httpd

#重启apache生效

 

 

三、Tomcat配置HTTPS

1、开启SSL/TLS

 

wget http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.54/bin/apache-tomcat-7.0.54.zip

unzip apache-tomcat-7.0.54.zip

cp -R apache-tomcat-7.0.54 /usr/local/tomcat

keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/keystore

#生成key文件,密码填写123456(如下图)

常见WebServer开启HTTPS并关闭SSLv3

 

vi /usr/local/tomcat/conf/server.xml

#添加SSL配置(如下图)

 

           port="8443" maxThreads="200"

           scheme="https" secure="true" SSLEnabled="true"

           keystoreFile="/usr/local/tomcat/keystore" keystorePass="123456"

           clientAuth="false" sslProtocol="TLS"

/>

 

常见WebServer开启HTTPS并关闭SSLv3

 

chmod +x /usr/local/tomcat/bin/*sh

/usr/local/tomcat/bin/startup.sh

#启动tomcat,此时tomcat监听http(8080)和https(8443)

 

常见WebServer开启HTTPS并关闭SSLv3

 

2、关闭SSLv3

vi /usr/local/tomcat/conf/server.xml

#加上配置sslEnabledProtocols="TLSv1"(如下图)

 

常见WebServer开启HTTPS并关闭SSLv3

注:隐性默认是SSLv3,TLSv1.0

 

/usr/local/tomcat/bin/shutdown.sh

/usr/local/tomcat/bin/startup.sh

#重启tomcat生效

 

 

 

 

 

上一页1下一页

下一篇:haproxy SSL配置方法

上一篇:SHA256