網頁

2020年7月20日 星期一

SSL 證書安裝於 Nginx

參考 SSL 憑證服務 操作手冊
參考 檢查 HTTPS 伺服器加密協定版本
參考 https on nginx and python flask
參考 https Client and Server

取得三個證書
1. eCA 根憑證 "ROOTeCA_64.crt"
2. PublicCA G2 中繼憑證 "PublicCA2_64.crt"
3. 用戶的 SSL 伺服器憑證 "xxx...(32個英數字).crt"

# mkdir /etc/nginx/conf/Certs
放三個證書於此目錄
# cp * /etc/nginx/conf/Certs
產生可信任的CA憑證串列
# cd /etc/nginx/conf/Certs
# cat PublicCA_64.crt ROOTeCA_64.crt > caChain.crt
因 Nginx 只能使用未加密的 server key
# openssl rsa -in server.key -out server_no_pwd.key
# cat server_no_pwd.key > /etc/nginx/conf/Certs/server.key
# cat xxx...(32個英數字).crt PublicCA2_64.crt > server.pem


修改 /etc/nginx/sites-available/ 下的設定檔
        ssl_certificate /etc/nginx/conf/Certs/server.pem;
        ssl_certificate_key /etc/nginx/conf/Certs/server.key;
        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/nginx/conf/Certs/caChain.crt;

修改 /etc/nginx/nginx.conf        # 關閉有漏洞的 HTTPS SSLv3, 採用 TLS
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# ngnix -s reload

測試安全性
$ sudo apt install nmap
$ nmap --script ssl-enum-ciphers -p 8443 www.xxxx.com

Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-20 14:21 CST
Nmap scan report for www.xxxx.com.tw (114.35.104.33)
Host is up (0.00057s latency).
rDNS record for 114.35.14.313: 114-35-104-33.HINET-IP.hinet.net

PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

測試結果分為等級 A-F


下載 認證標章,並放置下列HTML語法到網頁
<a href="javascript:location.href='https://publicca.hinet.net/SSLQueryCert/ SSLQueryCert.jsp?Domain_name='+document.location.hostname">
<img height="126" src="SSLSeal.gif" width="90" />
</a>

沒有留言:

張貼留言