{"id":1079,"date":"2015-05-14T11:15:57","date_gmt":"2015-05-14T03:15:57","guid":{"rendered":"http:\/\/zerobox.org\/notes\/?p=1079"},"modified":"2016-06-02T19:36:18","modified_gmt":"2016-06-02T11:36:18","slug":"%e6%94%b9%e5%96%84-https-%e8%ae%bf%e9%97%ae%e5%ae%89%e5%85%a8%e6%80%a7","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/1079.html","title":{"rendered":"\u6539\u5584 HTTPS \u8bbf\u95ee\u5b89\u5168\u6027"},"content":{"rendered":"

2014 \u5e74 4 \u6708 OpenSSL \u7684\u5fc3\u8840\u6f0f\u6d1e Heartbleed \u7740\u5b9e\u8ba9\u5927\u5bb6\u5bf9\u4e92\u8054\u7f51\u5b89\u5168\u634f\u4e86\u4e00\u628a\u51b7\u6c57\u3002\u540c\u5e74 10 \u6708\u4efd\u53c8\u76f8\u7ee7\u7206\u51fa POODLE \u5b89\u5168\u6f0f\u6d1e\u653b\u51fb\uff0c\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u8ba9\u653b\u51fb\u8005\u5229\u7528 SSLv3 \u534f\u8bae\u8bbe\u8ba1\u4e2d\u7684\u7f3a\u9677\uff0c\u901a\u8fc7\u4e2d\u95f4\u4eba\u653b\u51fb\u7684\u624b\u6bb5\u6765\u7a83\u53d6\u7528\u6237\u4fe1\u606f\uff0cGoogle \u7814\u7a76\u5458\u6700\u5148\u62ab\u9732\u4e86\u6709\u5173\u8be5\u6f0f\u6d1e\u7684\u7ec6\u8282\u3002<\/p>\n

\u76ee\u524d UPYUN \u5168\u7f51\u5df2\u7ecf\u79fb\u9664\u4e86\u5bf9 SSLv3 \u534f\u8bae\u7684\u652f\u6301\uff0c\u6d89\u53ca CDN\u3001API\u3001WEB \u7b49\u76f8\u5173 HTTPS \u670d\u52a1\u3002\u53e6\u5916\uff0c\u56fd\u5916\u77e5\u540d\u7684 CDN \u670d\u52a1\u5546 MaxCDN \u548c CloudFlare \u4e5f\u65e9\u5728\u53bb\u5e74 10 \u6708\u5c31\u7981\u6389\u4e86 SSLv3 \u7684\u652f\u6301\u3002<\/p>\n

\u79fb\u9664 SSLv3 \u6709\u4f55\u5f71\u54cd\uff1f<\/h3>\n
\u6240\u6709\u7684\u73b0\u4ee3\u6d4f\u89c8\u5668\u548c API \u5ba2\u6237\u7aef\u90fd\u5df2\u7ecf\u6216\u5373\u5c06\u652f\u6301 TLSv1.0 \u53ca\u5176\u4ee5\u4e0a\u7248\u672c\u7684\u534f\u8bae\uff0c\u56e0\u6b64\u8be5\u8c03\u6574\u5bf9\u7edd\u5927\u591a\u6570\u7684\u5ba2\u6237\u7aef\u90fd\u6ca1\u6709\u5f71\u54cd\uff0c\u4f46\u7531\u4e8e Windows XP\/IE6 \u6216\u66f4\u65e9\u7684\u6d4f\u89c8\u5668\u4ec5\u652f\u6301 SSLv3\uff0c\u4f1a\u51fa\u73b0\u65e0\u6cd5\u8bbf\u95ee\u7684\u95ee\u9898\uff0c\u636e CloudFlare \u7684\u7edf\u8ba1\u76ee\u524d\u5b83\u4eec\u5168\u7f51\u6d41\u91cf\u4e2d 3.12% \u6765\u81ea Windows XP \u7528\u6237\uff0c\u800c\u5176\u4e2d\u4e5f\u53ea\u6709 1.12% \u91c7\u7528\u4e86 SSLv3 \u7684\u8fde\u63a5\u65b9\u5f0f\uff0c\u6362\u53e5\u8bdd\u8bf4\uff0c\u5176\u4ed6 98.88% \u7684 Windows XP \u7528\u6237\u5df2\u7ecf\u91c7\u7528\u4e86\u66f4\u5b89\u5168 TLSv1.0+\u3002<\/p>\n
\u4ee5\u4e0a\uff0c\u8003\u8651\u5230\u5b89\u5168\u539f\u56e0\uff0c\u5bf9\u4e8e\u8fd8\u5728\u4f7f\u7528 IE6 \u7684\u7528\u6237\uff0c\u6211\u4eec\u5f3a\u70c8\u5efa\u8bae\u5347\u7ea7\u4f60\u4eec\u7684\u6d4f\u89c8\u5668\u3002<\/p>\n

\u68c0\u67e5 SSL \u670d\u52a1\u7684\u5b89\u5168\u7b49\u7ea7<\/h3>\n

\u901a\u8fc7 QUALYS SSL LABS \u63d0\u4f9b\u7684\u68c0\u67e5\u9875\u9762\uff0c\u6211\u4eec\u53ef\u4ee5\u8be6\u7ec6\u5206\u6790 HTTPS\/SSL \u670d\u52a1\u7684\u5b89\u5168\u60c5\u51b5\u3002\u4ee5 UPYUN \u5b98\u7f51 upyun.com<\/em> \u4e3a\u4f8b\uff0c\u6211\u4eec\u5f97\u5230\u7684\u68c0\u67e5\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n

$\"SSL$ <\/p>\n

\u7279\u522b\u5730\uff0c\u4f4e\u4e8e A \u8bc4\u7ea7\u7684\u60c5\u51b5\u4e0b\u53ef\u80fd\u4f1a\u5f97\u5230\u5982\u4e0b\u4e00\u4e9b\u5b89\u5168\u63d0\u793a\uff1a<\/p>\n

\n
This server supports anonymous (insecure) suites (see below for details). Grade set to F.<\/li>\n
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO<\/li>\n
This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.<\/li>\n
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. MORE INFO<\/li>\n
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.<\/li>\n
This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO<\/li>\n
The server does not support Forward Secrecy with the reference browsers. MORE INFO<\/li>\n
This server does not mitigate the CRIME attack. Grade capped to B.<\/li>\n
\u2026<\/li>\n<\/ol>\n
NGINX SSL \u76f8\u5173\u4f18\u5316<\/h3>\n
\u7531\u4e8e UPYUN \u7ebf\u4e0a HTTPS\/SSL \u670d\u52a1\u90fd\u57fa\u4e8e NGINX\uff0c\u56e0\u6b64\u8fd9\u91cc\u5bf9\u4ee5\u4e0a\u95ee\u9898\u7684\u4f18\u5316\u4e5f\u4ec5\u9488\u5bf9 NGINX\u3002<\/p>\n
SSL Compression (CRIME attack): [8]<\/p><\/blockquote>\n
CRIME \u653b\u51fb\u4e3b\u8981\u5229\u7528\u4e86 SSL Compression \u7684\u7279\u6027\uff0c\u82e5\u4ee5\u4e0b\u60c5\u51b5\u6ee1\u8db3\u5c31\u8868\u793a\u8be5\u7279\u6027\u5df2\u7ecf\u88ab\u9ed8\u8ba4\u5173\u95ed\u4e86\uff1a<\/p>\n
* OpenSSL >= 1.0.0: NGINX 1.1.6+\/1.0.9+\r\n* OpenSSL < 1.0.0: NGINX 1.3.2+\/1.2.2+\r\n<\/code><\/pre>\n\u56e0\u6b64\uff0c\u5f88\u7b80\u5355\uff0c\u89e3\u51b3\u529e\u6cd5\u5c31\u662f\u5347\u7ea7\u4f60\u7684 NGINX \u548c OpenSSL \u5373\u53ef\u3002<\/p>\n The POODLE attack (CVE-2014-3566) and TLSv1.0+: [2], [5]<\/p><\/blockquote>\n \u8d35\u5bbe\u72ac\uff08POODLE\uff09\u653b\u51fb\u521a\u4e0a\u9762\u4e5f\u8be6\u7ec6\u4ecb\u7ecd\u8fc7\u4e86\uff0c\u6211\u4eec\u53ea\u8981\u5728 NGINX \u4e2d\u7981\u7528 SSLv3 \u534f\u8bae\u5373\u53ef\uff1a<\/p>\n ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;\r\n<\/code><\/pre>\n\u4fee\u6539\u4e3a\uff1a<\/p>\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n<\/code><\/pre>\n\u7279\u522b\u5730\uff0cTLS \u7684\u9ad8\u7248\u672c\u534f\u8bae\u4e5f\u6700\u597d\u4e00\u5e76\u52a0\u4e0a\uff0c\u76ee\u524d\u90e8\u5206\u4e3b\u6d41\u6d4f\u89c8\u5668\u90fd\u4f1a\u4f18\u5148\u5c1d\u8bd5 TLSv1.2 \u5efa\u7acb\u5b89\u5168\u8fde\u63a5\u3002<\/p>\n OpenSSL CCS vulnerability (CVE-2014-0224): [3]<\/p><\/blockquote>\n 2014 \u5e74 6 \u6708 5 \u53f7\uff0cOpenSSL \u56e2\u961f\u53d1\u5e03\u4e86\u4e00\u4efd\u5b89\u5168\u62a5\u544a\uff0c\u62ab\u9732\u4e86\u4e00\u7cfb\u5217\u4e25\u91cd\u6f0f\u6d1e\u7684\u7ec6\u8282\uff0c\u5176\u4e2d\u5f53\u5c5e CVE-2014-0224 \u53d7\u5f71\u54cd\u9762\u6700\u5e7f\uff0c\u4e3b\u8981\u662f\u7531\u4e8e OpenSSL \u90e8\u5206\u7248\u672c\u5b9e\u73b0\u4e2d\u6ca1\u6709\u6b63\u786e\u5904\u7406 ChangeCipherSpec \u6d88\u606f\u5bfc\u81f4\u7684\uff0c\u4f7f\u5f97\u653b\u51fb\u8005\u80fd\u591f\u901a\u8fc7\u4e2d\u95f4\u4eba\u653b\u51fb\u6765\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u89e3\u5bc6\u5e76\u4fee\u6539\u88ab\u653b\u51fb\u7684\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u4e4b\u95f4\u7684\u901a\u8baf\u4fe1\u606f\uff0c\u4ece\u800c\u83b7\u5f97\u673a\u5bc6\u6570\u636e\u3002<\/p>\n \u89e3\u51b3\u529e\u6cd5\u5c31\u662f\u5347\u7ea7 OpenSSL\uff0c\u4e0d\u540c\u4e3b\u7248\u672c\u7684\u5347\u7ea7\u65b9\u6848\u5982\u4e0b\uff1a<\/p>\n * OpenSSL 0.9.8 SSL\/TLS users should upgrade to 0.9.8za.\r\n* OpenSSL 1.0.0 SSL\/TLS users should upgrade to 1.0.0m.\r\n* OpenSSL 1.0.1 SSL\/TLS users should upgrade to 1.0.1h.\r\n<\/code><\/pre>\nCertificate uses a weak signature: [4]<\/p><\/blockquote>\n \u89e3\u51b3\u529e\u6cd5\uff1a\u66f4\u6362\u8bc1\u4e66\u3002\u8bc1\u4e66\u7b7e\u540d\u7b97\u6cd5\u9700\u8981\u5347\u7ea7\u5230 SHA2\uff0c\u5982\u679c\u4ecd\u7136\u662f SHA1 \u7684\u8bdd\u5c31\u4f1a\u5f97\u5230\u7c7b\u4f3c [4] \u7684\u8b66\u544a\uff0c\u6839\u636e Google \u5b89\u5168\u56e2\u961f\u7684\u8bf4\u6cd5\uff0cSHA1 \u5df2\u7ecf\u88ab\u65f6\u4ee3\u629b\u5f03\u4e86\u3002<\/p>\n The Cipher Suite: [1], [6], [7]<\/p><\/blockquote>\n \u7ecf\u8fc7\u4e00\u4e9b\u6d4b\u8bd5\uff0c\u6211\u4eec\u6700\u7ec8\u53c2\u8003\u4e86 CloudFlare \u5173\u4e8e Ciphers \u7684\u914d\u7f6e\u65b9\u6848\uff1a<\/p>\n ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;\r\n<\/code><\/pre>\n\u4ee5\u4e0a\u914d\u7f6e\uff0c\u5728\u5c3d\u53ef\u80fd\u786e\u4fdd\u4e86\u5b89\u5168\u6027\u7684\u524d\u63d0\u4e0b\uff0c\u9664\u4e86\u4e0a\u8ff0\u5df2\u77e5\u7684 Windows XP\/IE6 \u4e0d\u517c\u5bb9\u5916\uff0c\u5176\u5b83\u7edd\u5927\u591a\u6570\u6d4f\u89c8\u5668\u548c API \u5ba2\u6237\u7aef\u5747\u517c\u5bb9\u3002\u53e6\u5916\uff0c\u5bf9\u4e8e Clpherli.st \u7f51\u7ad9\u4e0a\u7ed9\u51fa\u7684\u5efa\u8bae\u914d\u7f6e\uff08\u5982\u4e0b\uff09\uff0c\u6211\u4eec\u5728\u6d4b\u8bd5\u8fc7\u7a0b\u4e2d\u53d1\u73b0\u4f1a\u989d\u5916\u5bfc\u81f4 Windows XP \u4e0b IE7\/IE8 \u51fa\u73b0\u4e0d\u517c\u5bb9\u7684\u60c5\u51b5\uff0c\u8fd9\u4e2a\u57fa\u4e8e\u6211\u4eec\u76ee\u524d\u7684\u56fd\u60c5\u662f\u5f88\u96be\u63a5\u53d7\u7684\uff1a<\/p>\n ssl_ciphers AES128+EECDH:AES128+EDH;\r\n<\/code><\/pre>\nSPDY \u4ee5\u53ca\u4e00\u4e9b\u5b89\u5168\u76f8\u5173\u7684 HTTP \u54cd\u5e94\u5934<\/h3>\n\u76ee\u524d UPYUN \u7684\u5b98\u7f51\u6574\u7ad9\u90fd\u5df2\u7ecf\u5f00\u542f\u4e86 SPDY \u7684\u652f\u6301\uff0c\u901a\u8fc7 SPDYCheck.org \u68c0\u6d4b\u5373\u53ef\u77e5\u6653\u3002<\/p>\n \u5173\u4e8e SPDY \u534f\u8bae\uff0c\u6700\u65e9\u7531 Google \u5728 Chromium \u9879\u76ee\u4e2d\u63d0\u51fa\u8bbe\u8ba1\u8349\u6848\uff0cSPDY \u534f\u8bae\u65e8\u5728\u901a\u8fc7\u538b\u7f29\u3001\u4f18\u5148\u7ea7\u548c\u591a\u8def\u590d\u7528\u964d\u4f4e\u7f51\u9875\u7684\u52a0\u8f7d\u65f6\u95f4\u548c\u63d0\u9ad8\u6570\u636e\u4f20\u8f93\u7684\u5b89\u5168\u6027\u3002\u76ee\u524d\u9ad8\u7248\u672c\u4e3b\u6d41\u6d4f\u89c8\u5668\u5747\u5df2\u5f00\u542f\u5bf9 SPDY \u7684\u652f\u6301\uff0c\u540c\u65f6\u5728\u4eca\u5e74\uff082015\uff09SPDY \u4e5f\u6b63\u5f0f\u6210\u4e3a\u4e86 HTTP\/2 \u6807\u51c6\u534f\u8bae\u7684\u57fa\u7840\u3002<\/p>\n \u867d\u7136 Google \u8868\u793a SPDY \u5e76\u5165 HTTP\/2 \u6807\u51c6\u5316\u540e\u8003\u8651\u5728 2016 \u5e74\u79fb\u9664\u5bf9 SPDY \u7684\u652f\u6301\uff0c\u4f46 HTTP\/2 \u7684\u666e\u53ca\u4ece\u76ee\u524d\u6765\u770b\uff0c\u8fd8\u9700\u8981\u4e00\u5b9a\u65f6\u95f4\uff0cNGINX \u65e9\u4e9b\u65f6\u5019\u4e5f\u5ba3\u79f0\u5c06\u5728 2015 \u5e74\u5e95\u5b8c\u6210\u5bf9 HTTP\/2 \u7684\u652f\u6301\u3002\u56e0\u6b64\uff0c\u5728\u76ee\u524d\u7684\u60c5\u5f62\u4e0b\uff0c\u5728 HTTPS \u57fa\u7840\u4e0a\u5f00\u542f SPDY \u652f\u6301\u4e5f\u7edd\u5bf9\u662f\u6709\u76ca\u65e0\u5bb3\u7684\u3002<\/p>\n NGINX \u5f00\u542f SPDY \u652f\u6301<\/h4>\n\u8981\u6c42 OpenSSL 1.0.1e+, NGINX 1.5.10+\uff08\u652f\u6301 SPDY\/3.1\uff09\u3002<\/p><\/blockquote>\n .\/configure --with-http_spdy_module --with-http_ssl_module\r\n<\/code><\/pre>\nserver {\r\n listen 443 ssl spdy;\r\n server_name upyun.com;\r\n\r\n ...\r\n}\r\n<\/code><\/pre>\n\u66f4\u591a\u8be6\u7ec6\u6b65\u9aa4\u548c\u914d\u7f6e\u6307\u4ee4\u8bf4\u660e\u8bf7\u53c2\u8003 NGINXTIPS \u53ca NGINX SPDY \u5b98\u65b9\u6587\u6863\u3002<\/p>\n NGINX \u589e\u52a0\u5e38\u7528\u5b89\u5168\u76f8\u5173\u7684 HTTP \u54cd\u5e94\u5934\u652f\u6301<\/h4>\nadd_header Strict-Transport-Security max-age=63072000;\r\nadd_header X-Frame-Options SAMEORIGIN;\r\nadd_header X-Content-Type-Options nosniff;\r\nadd_header X-XSS-Protection \"1; mode=block\";\r\n<\/code><\/pre>\n\u5404\u54cd\u5e94\u5934\u7684\u4f5c\u7528\u8be6\u89c1 List of useful HTTP headers\u3002<\/p>\n EOF<\/h3>\nserver {\r\n listen 443 ssl spdy;\r\n server_name upyun.com;\r\n\r\n ssl_certificate upyun.com.pem;\r\n ssl_certificate_key upyun.com.key;\r\n\r\n ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;\r\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n ssl_prefer_server_ciphers on;\r\n ssl_session_cache shared:SSL:10m;\r\n\r\n add_header Strict-Transport-Security max-age=63072000;\r\n add_header X-Frame-Options SAMEORIGIN;\r\n add_header X-Content-Type-Options nosniff;\r\n add_header X-XSS-Protection \"1; mode=block\";\r\n}\r\n<\/code><\/pre>\n\u4ee5\u4e0a\u914d\u7f6e\u5728 NGINX 1.7.10 \u548c OpenSSL 1.0.2 \u4e0a\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u540c\u65f6\u4e5f\u5efa\u8bae\u5927\u5bb6\u53ca\u65f6\u5347\u7ea7\u5230\u76f8\u5e94\u7684\u6700\u65b0\u7248\u672c\u3002<\/p>\n \u5176\u4ed6\u53c2\u8003\uff1a<\/p>\n \nhttp:\/\/nginx.com\/blog\/nginx-poodle-ssl\/<\/li>\n https:\/\/raymii.org\/s\/tutorials\/Strong_SSL_Security_On_nginx.html<\/li>\n http:\/\/nginx.com\/blog\/nginx-05-june-2014-openssl-security-advisory\/<\/li>\n<\/ul>\n\u6765\u6e90:http:\/\/io.upyun.com\/2015\/03\/10\/strong-ssl-security\/<\/p>\n","protected":false},"excerpt":{"rendered":" 2014 \u5e74 4 \u6708 OpenSSL \u7684\u5fc3\u8840\u6f0f\u6d1e Heartbleed \u7740\u5b9e\u8ba9\u5927 …<\/p>\n \u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":1080,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[239],"class_list":["post-1079","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-https"],"views":4064,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/1079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=1079"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/1079\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media\/1080"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=1079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=1079"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=1079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}