常见问题

WordPress 解决文章内http链接问题

1. 登录Wordpress后台, 常规设置  》 里面把站点URL 修改成 https开头

2. 登录phpmyadmin , 执行替换链接的SQL

替换wordpress配置的链接地址 (可以选, 一般修改常规设置  站点URL地址就可以了)

update 'wp_options' set 'option_value'=replace('option_value','http://www.sslcertificateshop.com','https://www.www.sslcertificateshop.com')

替换文章内图片的链接地址:

update 'wp_posts' set 'post_content'=replace('post_content','http://www.sslcertificateshop.com','https://www.sslcertificateshop.com')

SHA256 兼容性列表

https://www.digicert.com/sha-2-compatibility.htm

浏览器和服务器

浏览器 最低版本
Chrome 26+
Firefox 1.5+
Internet Explorer 6+ (With XP SP3+)
Konqueror 3.5.6+
Mozilla 1.4+
Netscape 7.1+
Opera 9.0+
Safari 3+ (Ships with OS X 10.5)
服务器 最低版本
4D Server 14.01+
Amazon Web Services (AWS)1 Yes
Apache 2.0.63+ w/ OpenSSL 0.9.8o+
Barracuda Network Access Client 3.5+
Cisco ASA 5500 8.2.3.9+ for AnyConnect VPN Sessions; 8.4(2)+ for other functionalities
Citrix Receiver Varies – See PDF (FIPS 140 & SHA-2 Line)
CrushFTP 7.1.0+
F5 BIG-IP 10.1.0+
IBM Domino Server2 9.0+ (Bundled with HTTP 8.5+)
IBM HTTP Server2 8.5+ (Bundled with Domino 9+)
IBM z/OS v1r10+
Java based products Java 1.4.2+
Mozilla NSS Based Products 3.8+
OpenSSL based products OpenSSL 0.9.8o+
Oracle Wallet Manager 11.2.0.1+
Oracle Weblogic 10.3.1+
SonicOS (SonicWALL) 5.9.0.0+
WebSphere MQ 7.0.1.4+
Nginx 依赖于openssl版本

服务器不支持SHA256

  • Citrix Secure Gateway
  • Citrix Access Gateway
  • Citrix Access Essentials version 3
  • Juniper SBR
  • Citrix Receiver models
  • Blackberry 2.2 / BlackBerry 1.0 Tech Preview
  • Cisco ACE module software versions A2 and A3
  • Windows Serveur 2003 on which the patch 938397 allowing SHA256 support has not been installed
    See http://support.microsoft.com/kb/938397  (需要打补丁)
  • Windows 2000

数据库支持SHA2

Minimum Version
MYSQL
5.5.5+
PostgreSQL
8.1 / 8.2*

SSL Key 如何添加和去除密码

1 . 检测ssl.key 密码是否正确

openssl rsa -text -noout -in server.key
命令输出:
Private-Key: (2048 bit)
   modulus:
       00:b0:fd:c2:81:60:3f:d2:dc:fe:2d:34:c6:46:1e:
       08:72:c3:78:f3:4d:12:16:b9:39:3e:0b:d3:8b:e7:
       ...

2 . 给server.key 添加密码

openssl rsa -des -in server.key -out encrypt.key

输出:
writing RSA key
     Enter PEM pass phrase:  密码
     Verifying - Enter PEM pass phrase: 再次输入密码
encrypt.key  这个文件就是加密过的key

3. 去掉密码

encrypt.key        加密KEY
nopassword.key  无加密
#openssl rsa -in encrypt.key -out nopassword.key
writing RSA key
     Enter PEM pass phrase:  密码
     Verifying - Enter PEM pass phrase: 再次输入密码

ECC SSL证书兼容性

操作系统

操作系统 最低版本
Apple OS X OS X 10.6
Google Android 4.0
Microsoft Windows Windows Vista
Red Hat Enterprise Linux 6.5

浏览器

浏览器 最低版本
Apple Safari
4
(On ECC Compatible OS)
Google Chrome 1.0
(On ECC Compatible OS)
Microsoft Internet Explorer    IE7
(On ECC Compatible OS)
Mozilla Firefox 2.0

webserver支持

Server 最低版本
Apache HTTP Server 2.2.26
Apache Tomcat 1.1.30
Dovecot 2.2.5
IBM HTTP Server 8.0 w/ PM80235
NGINX 1.1.0
Sun Java System Web Server 7.0
Windows Server 2008

Library Support:

Library Minimum Version Required
Bouncy Castle [3] 1.04
GnuTLS [9] 2.99.2
Java* [4] [17] JDK 5 / JDK 7
NSS 3.8
OpenSSL 0.9.8
OpenSSL FIPS Object Module FIPS Object Module 2.0
(OpenSSL 1.0.1)

来源 https://support.globalsign.com/customer/portal/articles/1995283-ecc-compatibility

SSL优化百度收录

站点必须同时支持https和http访问 , 固定链接地址的就不建议做

set $flag 1;
if ($http_user_agent !~* Baiduspider){
      set $flag "${flag}1";
}
 #用做百度站长平台的验证
if ($request_uri !~ ^.*/baidu.*\.html.*){
       set $flag "${flag}2";
}
if ($flag = "112") {
       return 301 https://www.sslcertificateshop.com$request_uri;
}

DirectAdmin 开启SNI

DirectAdmin 开启SNI,允许共享IP安装多个证书

http://directadmin.com/features.php?id=1100

修改 directadmin.conf

enable_ssl_sni=0

更改为:

enable_ssl_sni=1

CentOS 5 和 Debian 5 不支持SNI , 需要升级到CentOS 6 以上版本

windows XP IE 不支持SNI技术

其他参考文档:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI