造成这个问题的根本原因是 OpenSSL 1.1.0+ 默认禁用了 3DES 系列的
Cipher Suites:For the 1.1.0 release, which we expect to release tomorrow, we
will treat triple-DES just like we are treating RC4. It is not compiled by
default; you have to use “enable-weak-ssl-ciphers” as a config option. via
升级到 OpenSSL 1.1.0+ 之后,要么选择不支持 Windows XP + IE8;要么在编译时加上
enable-weak-ssl-ciphers 参数。例如这是我的 Nginx 编译参数:
./configure –add-module=../ngx_brotli –add-module=../nginx-ct-1.3.2
–with-openssl=../openssl –with-openssl-opt='enable-tls1_3
enable-weak-ssl-ciphers' –with-http_v2_module –with-http_ssl_module
–with-http_gzip_static_module