漏洞修复 Nginx TLSSSL 弱密码套件

扫描结果

shell 复制代码
[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 443 xxx.cn -oX /results/output_0904.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 05:02 UTC
Nmap scan report for xxx.cn (ip)
Host is up (0.019s latency).
Other addresses for xxx.cn (not scanned): ip

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.91 seconds

解决,先在测试环境试试

修改配置前,测试

shell 复制代码
[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 5173 test_ip -oX /results/output_21_test.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 05:06 UTC
Nmap scan report for test_ip
Host is up (0.00096s latency).

PORT     STATE SERVICE
5173/tcp open  unknown
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Nginx 配置修改前

shell 复制代码
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

Nginx 配置修改后

shell 复制代码
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.3;

Nginx 修改配置后,测试

shell 复制代码
[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 5173 test_ip -oX /results/output_21_test.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 05:07 UTC
Nmap scan report for test_ip
Host is up (0.00048s latency).

PORT     STATE SERVICE
5173/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

生产环境复扫,还是存在问题

原因:应该是外面还包了一层导致的,应该是服务商的云防护之类的东西,我们修复也没有用。

结论

测试环境还是修复完成了。

生产环境让提供网关的服务商修复即可。

后续

复扫

shell 复制代码
[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 443 test.cn -oX /results/output_0904.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 06:29 UTC
Nmap scan report for test.cn (ip)
Host is up (0.020s latency).
Other addresses for test.cn (not scanned): 112.84.222.49

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 14.57 seconds
相关推荐
tritone2 小时前
我在阿贝云免费服务器上搭建RustDesk自建服务器(Self-Hosting)的真实体验【推荐】
运维·服务器
2301_800050992 小时前
DNS 服务器
linux·运维·笔记
慌糖2 小时前
自动化接口框架搭建分享-pytest第二部分
运维·自动化·pytest
Lin_Aries_04212 小时前
容器化简单的 Java 应用程序
java·linux·运维·开发语言·docker·容器·rpc
岁岁种桃花儿3 小时前
详解 Kubernetes 命令:kubectl exec -it nginx -- bash 及实战场景
运维·nginx·kubernetes
小牛马爱写博客3 小时前
DNS 服务器与 DHCP 服务器详解及配置指南
linux·运维·服务器·dns·dhcp
维尔切3 小时前
HAProxy 负载均衡器
linux·运维·数据库·负载均衡
VueVirtuoso3 小时前
前后端部署 + Nginx 配置 + Cloudflare 全攻略(通俗易懂版)
运维·nginx
QQ12958455043 小时前
服务器跨域问题CORS的解决
运维·服务器
小白银子3 小时前
零基础从头教学Linux(Day 42)
linux·运维·服务器·网络·nginx