Closed4
nginxでTLS1.2のみを許可する設定手順
薄田達哉 / tatsuyasusukida設定方法
sudoedit /etc/nginx/conf.d/virtual.conf
server {
listen 443 ssl;
# ...
ssl_protocols TLSv1.2;
}
sudo systemctl reload nginx
おおまかな流れ
- 設定変更前の確認
- 設定変更
- 設定変更後の確認
薄田達哉 / tatsuyasusukida確認方法
openssl s_client -connect zenn.dev:443 -tls1_2
openssl s_client -connect zenn.dev:443 -tls1_1
openssl s_client -connect zenn.dev:443 -tls1
成功例
openssl s_client -connect zenn.dev:443 -tls1_2
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
verify return:1
depth=0 CN = zenn.dev
verify return:1
---
Certificate chain
0 s:/CN=zenn.dev
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1D4
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1D4
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIQYHxca8Pn/n0JWGEcUJN92TANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFENDAeFw0yMjEwMjAwNTA1NDdaFw0yMzAxMTgw
NTA1NDZaMBMxETAPBgNVBAMTCHplbm4uZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAuYik57Gdu6KYuYKhoZUvbeIXJPSeDulbUsSI5+opdLL1wkb/
Oooh7Z6ZtyKPCYA5LkTVwIU/Acj0O39IDu3uXpn83v32WLUi9KSfS1H2xIVH89ss
CM9Fk4F4KJkilMvF/wrtM7ZcQ0Y9prrAu/O8RZYnUSs6pmCzfU3C40Im5bQGL/Bg
AfFVLwRcOJs2KT6LxgfChb3R80og/NhaKhsStq9ssmEhnuH8cxDm5eNrND2nnBzB
sId11RF0690IaI14wluinm204O7eK9eiZ6TSFU1Z9yw34EMV2ZgjVrPElnFP58GB
c7ltuSYjuNXxVcd6Qtl65BveUmG0mCkgCXlVlQIDAQABo4ICbzCCAmswDgYDVR0P
AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFJEVR8PDZCMmUgN5ckPhL+YNc2qPMB8GA1UdIwQYMBaAFCXiGA6yV5GU
KuXUXYaQg95Ts7iSMHgGCCsGAQUFBwEBBGwwajA1BggrBgEFBQcwAYYpaHR0cDov
L29jc3AucGtpLmdvb2cvcy9ndHMxZDQvRk1BWkg1MUlEc1EwMQYIKwYBBQUHMAKG
JWh0dHA6Ly9wa2kuZ29vZy9yZXBvL2NlcnRzL2d0czFkNC5kZXIwEwYDVR0RBAww
CoIIemVubi5kZXYwIQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8
BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxZDQvOFFr
NDYtS3dPQW8uY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAejKMVNi3LbYg
6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGD9ARmowAABAMARzBFAiEA7gBZN0A4
cfYckwSS2j2YrWOYunNS02dz3hdBOb+951ACIBboJUhW4husOJTgIzFwv63I2lfQ
EUFbjxmZBy2jkBg3AHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooA
AAGD9ARmlAAABAMARzBFAiBv7tE1U6+6YLjduoINVO6HiylWW1QqaUPJcsiW5dLL
FwIhAJHESXxLWBp5mu6kATHUtIeptmhYz21KPCnvotzFYbkWMA0GCSqGSIb3DQEB
CwUAA4IBAQAd8PN87+OgvACcQCqLmdBwATsJEGLNMjGjRGTFxz8PfJLFg9QhnbxD
5kH46BwczqrysFhExHURoMHvwqYZSAA7PVDhJuo+uXvHxANXI5s2B8RrpqekMEKI
3XvXZHo7YUK1Tzc/i48c2/MIwopRwyQDVeRvEPTwp3Bhb4c7/BIZMI1wg41HED47
G25VA7j3xicTuyJeHKKMHuM09Yz7jhLcIdZKeXcdsfn3QObkQEdJWbi/Y/qvv1gP
dKAm1wwVcot5iKs6TSlnMJYITwNhlsDjQ2NsoxCkcAGhOPltLnjHG/DZ0gPZeYjI
V+WzTjunVSj74XtnrUKFDr0pKxUNaqp1
-----END CERTIFICATE-----
subject=/CN=zenn.dev
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1D4
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4855 bytes and written 281 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 6A0D52BE3E047733CF18E5318EF4D403F4C27A1D786209A4689108E96016837D
Session-ID-ctx:
Master-Key: 54C206BA938DDA63044B575251C4904719253C81F9B987C00EA8250F51BFCA29D6B0A2BC015B31E0C53933521DDC8DDF
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 02 e2 9c 54 65 7f 28 c0-50 be 6c bb fc e4 6c 45 ...Te.(.P.l...lE
0010 - 4a 33 5d 41 ef 9f ac 73-0c 51 03 de 0f c4 12 39 J3]A...s.Q.....9
0020 - 0e 4a e0 e9 0e ea 17 70-09 aa 62 ec 76 a7 ae 65 .J.....p..b.v..e
0030 - 58 90 09 70 05 b2 ce 2f-ae 4c 52 8a 8c cf 4d 32 X..p.../.LR...M2
0040 - c3 06 54 d0 ed e6 65 7f-56 c3 7f f7 13 ba 0e 11 ..T...e.V.......
0050 - 9e cf 90 19 a7 8e 13 d4-98 6e c9 c8 43 1e 9b 48 .........n..C..H
0060 - 66 9f cd d6 90 3b 08 f3-16 29 cf 8d 08 54 69 6b f....;...)...Tik
0070 - 74 90 58 ab 05 30 95 61-49 1b 1c 36 33 65 36 70 t.X..0.aI..63e6p
0080 - 0b a9 ca 27 5d 1c ab f8-78 6c df 8d fa 28 91 c3 ...']...xl...(..
0090 - 57 64 2e a0 5f a4 76 ed-e2 a4 8c 10 38 5b 04 d6 Wd.._.v.....8[..
00a0 - 53 c2 0c 3f 6a 9f 44 ef-fd 29 68 9f d9 39 fa ae S..?j.D..)h..9..
00b0 - e9 8c 31 e8 23 d5 a5 36-3e b5 a2 2b f1 e1 19 c8 ..1.#..6>..+....
00c0 - 0a 99 99 82 38 43 7d 2e-c4 14 55 88 ce 32 4b 5b ....8C}...U..2K[
00d0 - 6d c6 82 6d 46 4e 52 54-ad 82 09 a5 0e d7 0d 5f m..mFNRT......._
Start Time: 1669600721
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
失敗例
openssl s_client -connect qiita.com:443 -tls1_1
CONNECTED(00000005)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1669600863
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
このスクラップは2023/01/10にクローズされました