掃描結果

[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 443 xxx.cn -oX /results/output_0904.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 05:02 UTC
Nmap scan report for xxx.cn (ip)
Host is up (0.019s latency).
Other addresses for xxx.cn (not scanned): ipPORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: ANmap done: 1 IP address (1 host up) scanned in 2.91 seconds

解決，先在測試環境試試

修改配置前，測試

[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 5173 test_ip -oX /results/output_21_test.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 05:06 UTC
Nmap scan report for test_ip
Host is up (0.00096s latency).PORT     STATE SERVICE
5173/tcp open  unknown
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: ANmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Nginx 配置修改前

    ssl_prefer_server_ciphers  on;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

Nginx 配置修改后

    ssl_prefer_server_ciphers on;ssl_protocols TLSv1.3;

Nginx 修改配置后，測試

[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 5173 test_ip -oX /results/output_21_test.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 05:07 UTC
Nmap scan report for test_ip
Host is up (0.00048s latency).PORT     STATE SERVICE
5173/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 0.44 seconds

生產環境復掃，還是存在問題

原因：應該是外面還包了一層導致的，應該是服務商的云防護之類的東西，我們修復也沒有用。

結論

測試環境還是修復完成了。
生產環境讓提供網關的服務商修復即可。

后續

復掃

[root@localhost nmap]# docker run --rm -v $(pwd)/results:/results securecodebox/nmap nmap --script ssl-enum-ciphers -p 443 test.cn -oX /results/output_0904.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-04 06:29 UTC
Nmap scan report for test.cn (ip)
Host is up (0.020s latency).
Other addresses for test.cn (not scanned): 112.84.222.49PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: ANmap done: 1 IP address (1 host up) scanned in 14.57 seconds

在線驗證