一、问题背景
image.png
image.png
image.png
# yum -y install nmap
# nmap -sV -p 443 --script ssl* www.example.com
Host is up (0.000052s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/https?
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2022-01-13T00:00:00+00:00
| Not valid after: 2023-02-10T23:59:59+00:00
| MD5: 72db ba18 bf13 30f5 6b04 4768 1086 f456
|_SHA-1: 7bfc 6661 ebb9 84f2 9f71 fc0e ea0c 68d2 7b4a 88ab
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
| ssl-google-cert-catalog:
|_ No DB entry
二、处理方式
# cat /path/to/nginx.conf
##将 TLSv1 去掉
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## 在带DES 的加解密套件前加 ! 号,禁用
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE';
# /path/to/nginx -t
# /path/to/nginx -s reload
# nmap -sV -p 443 --script ssl* www.example.com
image.png
从输出可以看出,已经禁用了 TLSv1 和 DES相关加解密套件。
三、其他影响
禁掉对 TLSv1.0、 DES 相关加解密套件支持,如果有其他系统对接本系统可能有影响,需要对接方操作系统升级 NSS版本。
curl -sSL -v https://www.example.com:443
* About to connect() to x.x.x.x port 443 (#0)
* Trying x.x.x.x... connected
* Connected to www.example.com (x.x.x.x) port 768 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
image.png
# yum info nss
# rpm -qa | grep nss
# yum -y update nss
image.png
image.png
四、参考
cURL SSL连接错误35与NSS错误-5961(示例代码)
http://www.136.la/shida/show-411617.html
API调用遇到SSL connect error或者connection reset错误
https://bbs.huaweicloud.com/blogs/113067
curl SSL connect error – NSS error -5961
https://thinlight.org/2017/11/06/curl-ssl-connect-error-nss-error-5961
网友评论