完整配置

{
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
    ssl_protocols       TLSv1.2 TLSv1.3;
    # 优化SSL性能和安全
    ssl_prefer_server_ciphers on;          # 服务器优先选择加密套件
    ssl_session_cache shared:SSL:10m;   # 会话缓存
    ssl_session_timeout 10m;              # 会话超时时间
    ssl_session_tickets off;              # 禁用 Session Tickets（某些场景可开启）
    # 启用OCSP Stapling 提高 SSL 验证速度
    ssl_stapling on;
    ssl_stapling_verify on;

}

远程主机支持CBC加密套件。Cipher Block Chaining (CBC，密码块链接) 是一种对称加密模式

#修改方法
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
ssl_protocols       TLSv1.2 TLSv1.3;



(1) 检查是否禁用 CBC
运行以下命令，确保输出 不包含 CBC：
nmap --script ssl-enum-ciphers -p 443   zs.cdnxx.edu.cn
nmap --script ssl-enum-ciphers -p 443   admission.lvu.edu.cn