海运的博客

ubuntu 20.04下nginx不支持tls1.0/tls1.1解决

发布时间:December 16, 2020 // 分类:Nginx // No Comments

在ubuntu 20.04下配置nginx ssl时怎么不支持tls1.0/1.1,确认配置文件无误怀疑是openssl的问题,原来是ubuntu 20.04/openssl 1.1.1默认禁用了不安全的tls协议,可以修改openssl配置文件开启。
patch:

--- openssl.cnf 2020-12-26 10:54:59.000000000 +0800
+++ /etc/ssl/openssl.cnf        2020-12-26 11:28:20.406439168 +0800
@@ -11,6 +11,8 @@
 # defined.
 HOME                   = .
 
+openssl_conf = default_conf
+
 # Extra OBJECT IDENTIFIER info:
 #oid_file              = $ENV::HOME/.oid
 oid_section            = new_oids
@@ -348,3 +350,13 @@
                                # (optional, default: no)
 ess_cert_id_alg                = sha1  # algorithm to compute certificate
                                # identifier (optional, default: sha1)
+
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1
+CipherString = DEFAULT:@SECLEVEL=1

或直接修改配置文件,openssl.cnf首部添加:

sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf

尾部添加:

cat >> /etc/ssl/openssl.cnf << EOF
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1
EOF

使用openssl测试是否支持tls1.0和1.1:

openssl s_client -connect www.haiyun.me:443 -tls1_1
openssl s_client -connect www.haiyun.me:443 -tls1

参考:
https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level

Postfix/dovecot配置SMTP/IMAP SSL加密连接

发布时间:July 10, 2012 // 分类:Mail,OpenSSL // No Comments

首先生成SSL证书,如需SSL证书认证可先生成证书请求文件再转交CA认证。
Postfix配置SSL:

#https://www.haiyun.me
cat /etc/postfix/main.cf
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/CA/private/server.key
smtpd_tls_cert_file = /etc/postfix/CA/certs/server.crt
smtpd_tls_CAfile = /etc/postfix/CA/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

开启Postfix服务器SMTPS端口监听:

cat /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

测试SMTP SSL是否生效:

openssl s_client -connect smtp.haiyun.me:smtps
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 65424E5937C2EE0453E796BA179DF8F8D92A523FAD5F170CFE11A64E5A0441D3
    Session-ID-ctx: 
    Master-Key: 43EC9C65F8215B3304C62A4E860116D6CA58BFE732514F5B31EC67196D993F43A19E837CA9BD48D6008A06874ED83BB0
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1341366288
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 mail.www.haiyun.me ESMTP Postfix
quit
221 2.0.0 Bye

Dovecot配置SSL:

cat /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

测试IMAP/POP SSL是否生效:

openssl s_client -connect smtp..haiyun.me:imaps
openssl s_client -connect smtp..haiyun.me:pops
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: A6CD69E16438BB8CBEA7ABCDF74F1BDC844E00C4C7A3B2446FB87E230788D4A5
    Session-ID-ctx: 
    Master-Key: D6135140AC6BAD1AABFD85CE1A28FA66387B60CF6E6744B0F3BDCEFB82F6B7EA4FF28461E6A007DC03B91787C50CDFE0
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1341363344
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK Dovecot ready.
分类
最新文章
最近回复
  • 海运: 网络,找到相应的url编辑重发请求,firefox有此功能,其它未知。
  • knetxp: 用浏览器F12网络拦截或监听后编辑重发请求,修改url中的set为set_super,将POS...
  • Albert: 啊啊啊啊啊啊啊啊啊 我太激动了,终于好了英文区搜索了半天,翻遍了 pve 论坛没找到好方法,博...
  • jiangker: good, very helpful to me
  • fengfeng: N1 armbian 能有编译下内核吗。。我要开启can 不懂怎么操作
  • 1: 方法一ngtcp2要改下:./configure PKG_CONFIG_PATH=/usr/l...
  • 海运: 关闭服务器
  • 海风: override.battery.charge.low以及override.battery.r...
  • koldjf: 不能过滤
  • 杰迪武士: 此文甚好甚强巨,依照此文在树莓派2 + Rasbian上部署成功 感谢博主美文共赏