Configuration guide:
You need to configure an encryption plan that complies with the PFS specification, which is currently recommended:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4
TLS1.2 is required to be enabled in the service-side TLS protocol and is currently the recommended configuration:
TLSv1 TLSv1.1 TLSv1.2
1.Nginx Certificate Configuration
Update the Nginx root directory under the conf/nginx.conf file as follows:
server {ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}
2.Apache Certificate Configuration
Update the Apache root directory under the conf/httpd.conf file as follows:
<ifmodule mod_ssl.c> <virtualhost *:443> sslprotocol TLSv1 TLSv1.1 TLSv1.2 sslciphersuite ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4
</VirtualHost></IfModule>
3.Tomcat Certificate Configuration
Update the%tomcat_home%\conf\server.xml file as follows:
<connector port= "443" protocol= "http/1.1" sslenabled= "true" scheme= "https" secure= "true" sslprotocol= "TLSv1+TLSv1 .1+tlsv1.2 "Sslciphersuite=" ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4 "/>
4.IIS Certificate Configuration 4.1 method one
Windows 2008 and earlier versions do not support the Tls1_2 protocol so you cannot adjust the 2008R2 tls1_2 protocol is off by default is required to enable this Protocol to meet ATS requirements
In the case of R2, no adjustments have been made to the Protocol and suite after the certificate has been imported.
After the certificate was imported, the kit was detected to support ATS requirements, but the protocol tls1_2 was not enabled and ATS needed tls1_2 support. Available Ssltools Tools (Asia integrity offer, click to download) Enable Tls1_2 protocol
Check the three TLS protocol and restart the system.
If you check that PFS is not supported, select with Ecdhe and dhe in the encryption suite.
4.2 Method Two
Start-run input regedit
Find Hkey_local_machine\system\currentcontrolset\control\securityproviders\schannel\protocols, new--Right-click New TLS 1.1,TLS 1.2
New server for TLS 1.1 and TLS 1.2, new, right-click, Client
Create the following entries (DWORD 32-bit value) in both the new server and client, a total of 4
Disabledbydefault [Value = 0]
Enabled [Value = 1]
Reboot the system after completion
Encryption Suite Tuning
The Group Policy Editor can be used to adjust if the forward secret cipher suite is not supported.
Start Menu--run, enter gpedit.msc for cryptographic suite adjustments you need to open the Tls1_2 protocol before this operation
Double-click SSL cipher Suite Order
Add the supported Ecdhe cipher suites to the SSL cipher suite separated by commas (,)
Open a blank WordPad document.
Copy the list of available packages in the right-hand side and paste them into the document.
Arrange the packages in the correct order, and remove any packages you don't want to use.
Type a comma at the end of each suite name (except for the last suite name). Make sure that no spaces are embedded.
Remove all line breaks so that the cipher suite name is on a separate long line.
Copy the cipher suite line to the Clipboard, and then paste it into the edit box. The maximum length is 1023 characters.
The following packages can be added to the cipher suite
Tls_ecdhe_rsa_with_aes_128_cbc_sha
Tls_ecdhe_rsa_with_aes_256_cbc_sha
tls_ecdhe_rsa_with_aes_128_cbc_sha256
tls_ecdhe_rsa_with_aes_256_cbc_sha384
tls_ecdhe_rsa_with_aes_128_gcm_sha256
tls_ecdhe_rsa_with_aes_256_gcm_sha384
Report:
Recommended Kit Combinations:
tls_ecdhe_rsa_with_aes_128_cbc_sha_p256
tls_ecdhe_rsa_with_aes_128_cbc_sha_p384
tls_ecdhe_rsa_with_aes_128_cbc_sha_p521
tls_ecdhe_rsa_with_aes_256_cbc_sha_p256
tls_ecdhe_rsa_with_aes_256_cbc_sha_p384
tls_ecdhe_rsa_with_aes_256_cbc_sha_p521
tls_ecdhe_rsa_with_aes_128_cbc_sha256_p256
tls_ecdhe_rsa_with_aes_128_cbc_sha256_p384
tls_ecdhe_rsa_with_aes_128_cbc_sha256_p521
tls_ecdhe_rsa_with_aes_256_cbc_sha384_p256
tls_ecdhe_rsa_with_aes_256_cbc_sha384_p384
tls_ecdhe_rsa_with_aes_256_cbc_sha384_p521
tls_dhe_rsa_with_aes_256_gcm_sha384
Tls_rsa_with_aes_128_cbc_sha
Tls_rsa_with_aes_256_cbc_sha
Tls_rsa_with_3des_ede_cbc_sha
tls_rsa_with_aes_128_cbc_sha256
tls_rsa_with_aes_256_cbc_sha256
tls_rsa_with_aes_128_gcm_sha256
tls_rsa_with_aes_256_gcm_sha384
Apple ATS feature Server Certificate Configuration Guide