按网络的科目,编写翻译openssl 1.1.1

1  概述

第意气风发,供给晋级系统自带的 openssl,因为系统自带的 openssl 相比老,openssl
已经被暴光不菲缺欠,进级无疑是极品采纳本身这里以
nginx1.11.6为例,搭建了二个 https关于openssl ,参谋centos 编写翻译安装
openssl关于ssl
证书 参考Let’s Encrypt
申请免费ssl证书

澳门葡萄京官方网站 ,查阅nginx音信,也是依附openssl 1.1.1编译的

要运用nginx软件实现https的页面,要动用ngx_http_ssl_module模块,本文将介绍该模块的多少个家常便饭用法,达成风度翩翩台物理机上创造两个https站点。注意通过nginx
-V查看,假如有TLS SNI support
enabled,表示扶助在大器晚成台主机上支撑四个https主机

升级nginx

root@bccnsoft:~# nginx -V
nginx version: nginx/1.17.0
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.1.1c  28 May
2019

TLS SNI support enabled

2  模块配置

1.下载 openssl,然后解压后纠正为 openssl

然后不管怎么搞,在浏览器里查看的时候依旧tls1.2,不管怎么重启调节和测量检验,都以tls1.2,急炸老子的心肺!

.1、ssl

wget -c

tar zxvf openssl-1.0.2j.tar.gz

cd openssl-1.0.2j

浪费了一天的功力,终于意识了这几个坑:

ssl  on | off;

2.进入 nginx 目录

nginx的有所网址配置内部都要进入 ssl_protocols      TLSv1.1 TLSv1.2 TLSv1.3;

只要一个网址的server{ … }配置里没参与 ssl_protocols      TLSv1.1
TLSv1.2 TLSv1.3; 就有相当大希望招致全体网址开启tls1.3失效,注意这里是“可能”,相当于说也是有相当的大希望不失效,尼玛

同理可得,要保管tls1.3敞开成功,最佳全体网址的server{ …
}配置里都步向ssl_protocols      TLSv1.1 TLSv1.2 TLSv1.3;

为内定虚构机启用HTTPS  protocol,提议用listen指令代替

cd nginx-1.11.6

./configure –user=www –group=www –prefix=/usr/local/nginx
–with-http_stub_status_module –with-http_ssl_module
–with-http_v2_module –with-http_gzip_static_module
–with-http_sub_module –with-openssl=/root/openssl && make

.2、ssl_certificate

3.复制编写翻译后的 nginx 文件替换 nginx

ssl_certificate  file;

cp /usr/local/nginx/sbin/nginx{,.old} # 备份早前的 nginx

cp ./objs/nginx /usr/local/nginx/sbin/

方今设想主机使用PEM格式的证件文件

4.查看nginx

始建自签定的证件文件

[root@host-133-130-118-235 sbin]# ./nginx -V

nginx version: nginx/1.11.6

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)

built with OpenSSL 1.0.2j  26 Sep 2016

TLS SNI support enabled

configure arguments: –user=www –group=www –prefix=/usr/local/nginx
–with-http_stub_status_module –with-http_ssl_module
–with-http_v2_module –with-http_gzip_static_module
–with-http_sub_module –with-openssl=/root/openssl

cd /etc/pki/tls/certs/

5.退换nginx 配置文件,注意这里只贴下 ssl 的有关铺排

make nginx6.crt

server

{

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server ipv6only=on;

server_name www.awen.me awen.me blog.awen.me;

index index.html index.htm index.php;

root  /home/wwwroot/default;

ssl on;

ssl_certificate    /etc/letsencrypt/live/awen.me/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/awen.me/privkey.pem;

ssl_protocols      TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers
EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

add_header Strict-Transport-Security “max-age=63072000;
includeSubDomains; preload”;

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;

resolver 114.114.114.114;

resolver_timeout 30s;

#error_page  404  /404.html;

include enable-php.conf;

if ($request_method !~ ^(GET|HEAD|POST)$ ) {

return        444;

}

将转移的私钥文件解密

6.去这里测量检验https://www.ssllabs.com/ssltest/analyze.html

openssl rsa -in nginx6.key-out nginx66.key

将那三个文本复制到配置文件里钦定的渠道就可以

在客户的上查看生成的证件音信,命令如下

openssl s_client -connect  www.e.com:443

.3、ssl_certificate_key

ssl_certificate_key  file;

脚下虚构主机上与其证件相称的私钥文件

.4、ssl_protocols

ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];

扶助ssl公约版本,默以为后多个,主流版本是[TLSv1.2]

.5、ssl_session_cache

ssl_session_cache off | none | [builtin[:size]]
[shared:name:size];

builtin[:size]:使用OpenSSL内建缓存,为每worker进程私有,开启多大的空间来作为缓存空间

[shared:name:size]:在各worker之间使用三个分享的缓存,这样会加强缓存的命中率,进步品质。

.6、ssl_session_timeout

ssl_session_timeout  time;

客户端连接能够复用sslsession cache中缓存的ssl参数的有效时间长度,私下认可5m

3  配置实例

创建两台设想https主机

vim  /etc/nginx/conf.d/https.conf

server{

listen 443 ssl;

server_name www.e.com;

root /app/website5;

ssl_certificate /etc/nginx/ssl/nginx5.crt;

ssl_certificate_key/etc/nginx/ssl/nginx5.key;

ssl_session_cache shared:sslcache:20m;

ssl_session_timeout 10m;

}

server{

listen 443 ssl;

server_name www.f.com;

root /app/website6;

ssl_certificate /etc/nginx/ssl/nginx6.crt;

ssl_certificate_key/etc/nginx/ssl/nginx6.key;

ssl_session_cache shared:sslcache:20m;

ssl_session_timeout 10m;

}