Enable Perfect Forward Secrecy in Nginx

Zeuxis  2014-01-02  Notes / Server

原先的 SSL/HTTPS 設定是

1
2
3
ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers               ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

現在換成

1
2
3
ssl_prefer_server_ciphers on;
ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers               ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:ECDH

之後重啟 Nginx

1
../../nginx.sh reload

檢查:

  1. 打開 Chrome 查看網站.
  2. 點擊網址欄左邊的那個綠色鎖
  3. 點擊 Connection 的那個 Tab
  4. 在第二行那裡應該會看見 ECDHE_XXX 的字眼

或者:

  1. 打開 https://www.ssllabs.com 網站輸入網址檢查

參考:

© Copyright 2007 - 2023 by Zeuxis Lo.