网站配置https后在win7系统 IE浏览器中无法打开问题处理
主要配置文件:
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /usr/local/nginx_server/ssl_key/example.com.pem;
ssl_certificate_key /usr/local/nginx_server/ssl_key/example.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Set-Cookie "HttpOnly; Secure; SameSite=Strict";
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
网上查了半天,都是要修改Internet选项中的TLS协议版本,我配置文件中配置了TLS支持 TLSv1.2 TLSv1.3,Internet选项对应协议已有勾选(如有这里修改需要重启电脑才能生效),并没什么卵用;
于是我把除了证书路径的两个配置这外的所有有关SSL的配置逐个进行注释测试,最后我将加密套件配置 ssl_ciphers 这行注释后发现,可以正常打开了,由此是指定的加密套件IE不支持造成的。
于是找到了一些老旧的加密算法,添加到配置中,页面可以正常访问了
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;
完整的加密套件配置:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;
这里给大家推荐一个 SSL 配置生成网站:https://ssl-config.mozilla.org/ 可以根据客户情况生成SSL配置。
浙公网安备 33010602011771号