lighttpd https SSL 配置参数优化 

前端时间从 freessl.org 搞了一个免费的SSL证书,给自己的一个站点用上了。

https://sb.caonima.pw

不过部署好了后我这边一直访问不了。一直以为是SSL的配置没配好。

今天参照着 myssl.com 提供的优化建议把配置弄了一下,如下:

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
#ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2")
ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE"
ssl.honor-cipher-order = "enable"
ssl.pemfile = "/home/ftp/.ssl/ssl.pem"
ssl.ca-file = "/home/ftp/.ssl/ca.pem"
server.name = "sb.caonima.pw"
server.document-root = "/home/ftp"
}
ssl.disable-client-renegotiation = "enable"


重启lighttpd,看了一下,评级从之前的B升到了A。

https://myssl.com/sb.caonima.pw

但是,貌似我本地还是不能访问。

VPS里面倒是可以,

[root@sharl-centos ~]# curl -vI https://sb.caonima.pw
* About to connect() to sb.caonima.pw port 443 (#0)
* Trying 104.236.147.24... connected
* Connected to sb.caonima.pw (104.236.147.24) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=sb.caonima.pw
* start date: Feb 24 00:00:00 2018 GMT
* expire date: Feb 24 12:00:00 2019 GMT
* common name: sb.caonima.pw
* issuer: CN=TrustAsia TLS RSA CA,OU=Domain Validated SSL,O="TrustAsia Technologies, Inc.",C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: sb.caonima.pw
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Content-Length: 6705
Content-Length: 6705
< Date: Fri, 02 Mar 2018 09:10:51 GMT
Date: Fri, 02 Mar 2018 09:10:51 GMT
< Server: lighttpd
Server: lighttpd

<
* Connection #0 to host sb.caonima.pw left intact
* Closing connection #0


此外我还试了ssllibs,
https://www.ssllabs.com/ssltest/analyze.html?d=sb.caonima.pw

好像也没啥问题。敢情除了我自己,其他人都能访问我的站点,我日!!!!

这个问题还要继续研究。

注:本文撰写实践参考了以下链接:
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
https://www.openssl.org/docs/manmaster/man1/ciphers.html
[ 885 评论 ] ( 142 次浏览 ) 永久链接 ( 3 / 325 )

<上一页 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 下一页> >>