SSL证书https在线测试,故障检测网站ssllabs评分较低和较高的原因分析

SSL证书https在线测试,推荐大家公认的 https://www.ssllabs.com/  有时候评分只有C或者B,那么毛病在哪里呢?

SSL故障检测网站ssllabs评分较低和较高的原因是什么呢?下面我们分析下ctohome的nginx的ssl证书https设置参数,如下:

ssl on;
ssl_certificate /nginx_conf/vhosts/ssl/2016/www.ctohome.com-openssl-bundle.crt;
ssl_certificate_key /nginx_conf/vhosts/ssl/2016/www.ctohome.com-openssl-nopass.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
#SSLv3 SSLv2 which is weak and should no longer be used.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;   —— 这个很关键,不要SSLv3 和 SSLv2
#Disables all weak ciphers
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; —— 这个也很关键,兼容绝大多数浏览器而且尽可能的减少安全隐患
ssl_prefer_server_ciphers on;

进过上面的改动后,一般都能得到A的评分了!

SSL在线检测网站ssllabs评分低的原因如下:

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.

发表评论

电子邮件地址不会被公开。 必填项已用*标注