常见WebServer开启HTTPS并关闭SSLv3

前段时间爆出“OpenSSL Heartbleed”与“SSLv3中间人攻击”漏洞，为了快速搭建常见WebServer（Nginx、Apache、Tomcat）的HTTPS测试环境以及关闭SSLv3，笔者Mark4z5整理了一份文档。

 

一、Nginx配置HTTPS

1 、安装Nginx

wget http://nginx.org/download/nginx-1.7.1.tar.gz

tar zxvf nginx-1.7.1.tar.gz

cd nginx-1.7.1/

./configure --with-http_ssl_module --prefix=/usr/local/nginx; make; make install

 

2、开启SSL/TLS

 

mkdir /usr/local/nginx/sslkey

cd /usr/local/nginx/sslkey

openssl genrsa -out key.pem 2048

openssl req -new -x509 -nodes -out server.crt -keyout server.key

#一直按回车，什么都不填

 

 

vi /usr/local/nginx/conf/nginx.conf

#去掉HTTPS server相关配置注释并修改文件路径（如下图）

 

/usr/local/nginx/sbin/nginx

#启动nginx，此时nginx监听http（80）和https（443）

 

 

3、关闭SSLv3

 

vi /usr/local/nginx/conf/nginx.conf

#加上配置ssl_protocols TLSv1 TLSv1.1 TLSv1.2;（如下图）

注：隐性默认是SSLv3 TLSv1 TLSv1.1 TLSv1.2

 

/usr/local/nginx/sbin/nginx -s reload

#重启nginx生效

 

 

 

二、 Apache配置HTTPS

1、安装Apache

wget http://apache.dataguru.cn//httpd/httpd-2.2.27.tar.gz

tar zxvf httpd-2.2.27.tar.gz

cd httpd-2.2.27

./configure --enable-ssl --prefix=/usr/local/apache; make; make install

 

2、开启SSL/TLS

cd /usr/local/apache/conf

openssl genrsa -out key.pem 2048

openssl req -new -x509 -nodes -out server.crt -keyout server.key

#一直按回车，什么都不填

 

 

vi /usr/local/apache/conf/httpd.conf

#去掉Include conf/extra/httpd-ssl.conf注释(如下图)

 

/usr/local/apache/bin/httpd

#启动apache，此时apache监听http（80）和https（443）

 

 

3、关闭SSLv3

vi /usr/local/apache/conf/extra/httpd-ssl.conf

#原有配置SSLProtocol all -SSLv2，需修改为SSLProtocol all -SSLv2 -SSLv3（如下图）

 

注：显性默认支持SSLv3 TLSv1 TLSv1.1 TLSv1.2

 

killall -9 httpd

/usr/local/apache/bin/httpd

#重启apache生效

 

 

三、Tomcat配置HTTPS

1、开启SSL/TLS

 

wget http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.54/bin/apache-tomcat-7.0.54.zip

unzip apache-tomcat-7.0.54.zip

cp -R apache-tomcat-7.0.54 /usr/local/tomcat

keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/keystore

#生成key文件，密码填写123456（如下图）

 

vi /usr/local/tomcat/conf/server.xml

#添加SSL配置（如下图）

 

           port="8443" maxThreads="200"

           scheme="https" secure="true" SSLEnabled="true"

           keystoreFile="/usr/local/tomcat/keystore" keystorePass="123456"

           clientAuth="false" sslProtocol="TLS"

/>

 

 

chmod +x /usr/local/tomcat/bin/*sh

/usr/local/tomcat/bin/startup.sh

#启动tomcat，此时tomcat监听http（8080）和https（8443）

 

 

2、关闭SSLv3

vi /usr/local/tomcat/conf/server.xml

#加上配置sslEnabledProtocols="TLSv1"（如下图）

 

注：隐性默认是SSLv3,TLSv1.0

 

/usr/local/tomcat/bin/shutdown.sh

/usr/local/tomcat/bin/startup.sh

#重启tomcat生效