NC支持tls1.2
WAS
服务器双网卡 172.19.74.12 192.168.1.1
nginx -ihs-was (IHS与nginx 必须不同ip 相同端口)
IHS的httpdconf中所有的带端口的地方均改为内网IP:PORT
Listen 172.19.74.12:80
ServerName 172.19.74.12:80
Listen 172.19.74.12:443
<VirtualHost 172.19.74.12:443>
nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 3600;
client_header_timeout 3600;
client_body_timeout 3600;
client_max_body_size 1024m;
client_body_buffer_size 8m;
underscores_in_headers on;
server {
listen 80;#也可以80直接由ihs暴露出去()
server_name www.abcd.com;
location / {
send_timeout 3600;
proxy_connect_timeout 3600;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Frame-Options SAMEORIGIN;
proxy_pass http://172.19.74.12;
}
}
server {
listen 443;
server_name www.abcd.com;
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://172.19.74.12;
send_timeout 3600;
proxy_connect_timeout 3600;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Frame-Options SAMEORIGIN;
#HSTS
add_header Strict-Transport-Security 'max-age=63072000;includeSubdomains;preload';
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
WAS其他办法(推荐使用这个!!!)
WAS低版本 WAS环境配置HTTPS仅需要IHS配置IHS即可 ,只有IHS8+才能支持TLS1.2 所以可以IHS8 +was7来时间TLS1.2
参见http://publib.boulder.ibm.com/httpserv/ihsdiag/ihs8was7.html 更低版本的有时间可以试一下
WAS8 都所说事支持TLS1.2但是直接配置SSLProtocolEnable TLSv12 无法启动
配置方法见 https://www.ibm.com/support/knowledgecenter/zh/SSYMRC_5.0.0/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_ihs.html
The TLSv1.1 and TLSv1.2 protocols are enabled by default in IBM HTTP Server on z/OS versions 8.0.0.10 and 8.5.5.4 and later.
(我理解是大于这俩版本才可以直接支持8.5.0.1 不later 8.0.0.10!!,下边边的页面涉及到IHSssl中的所有参数)
https://www.ibm.com/support/knowledgecenter/SSEQTJ_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ssldirs.html#rihs_ssldirs__SSLProtocolEnable
要么升级 要么其他方法:
SSLProtocolDisable TLSv10 TLSv11
SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#sha2ciphers
整个was的其他方法来自于
https://developer.ibm.com/answers/search.html?f=&type=question&redirect=search%2Fsearch&sort=relevance&q=ihs+tls1.2
https://www.ibm.com/mysupport/s/question/0D50z000062l3zjCAA/configure-ihs-v70-to-support-tlsv12?language=zh_CN
nc单机
httpd-2.2.23 and newer support TLS1.1 TLS1.2 且需要openssl1.0.1 +的支持 不用nginx也ok
服务器双网卡 172.19.74.12 192.168.1.1 (也可以直接apachetls1.2 )
nginx -apache-nc (apache与nginx 必须不同ip 相同端口)
httpd-ssl.conf (已经配置了apchessl 转发NC)
<VirtualHost 172.19.47.12:443>
ServerName 172.19.47.12:443
Listen 172.19.47.12:443
nginx 配置文件没有变化
openssl s_client -connect hostname:port 可以检查当前端口是否支持tls1.2
客户端需要修改的东西
Java1.7 默认不支持tls1.2 需要如下参数开启 java1.8默认支持不需要改动
-Dhttps.protocols=TLSv1.2
遇到问题
跨域:
双网卡、同端口解决
portal静态文件无法加载
使用nginx1.12解决见https://files-cdn.cnblogs.com/files/qtong/nginx-win-1.12.7z
如下网站监测 https的安全性
https://myssl.com/
https://www.ssllabs.com/ssltest/analyze.html
最佳实践
https://blog.myssl.com/tag/zui-jia-shi-jian/
apache文档
http://httpd.apache.org/docs/2.4/
配置范例网站
https://www.trustauth.cn/ssl-guide/26878.html
https://mozilla.github.io/server-side-tls/ssl-config-generator/
资源下载
mod_jd.so http://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/windows/
apache-win https://www.apachelounge.com/download/
浙公网安备 33010602011771号